In a recent benchmarking survey on third party risk management, 72% of respondents said they “cannot produce a complete report of all of their third parties quickly and easily.”
- Tracking basic corporate information about the vendor.
- Knowing your contractual obligations so they can be managed.
- Understanding the risks to which you are exposed so they, too, can be managed and mitigated.
Here are some additional details on each.
1. Corporate Information
The foundation of your profile starts with capturing basic information about the vendor themselves. This provides visibility into the organization as well as the people with which you’ll be working. At a minimum, your basic vendor profile should include:
- Legal name
- DBA (doing business as) nameContact information (account manager, billing, help desk)
- Ownership structure
- Date of business formation
- Tax ID number
- DUNS number
- Special classifications (i.e. small, minority, woman or veteran owned)
2. Contract Information
Can you quickly and easily see all of the contractual obligations, terms and conditions you have with your third parties? Most organizations can’t. And that’s not good.Contractual obligations are serious ones. They obligate you and your third parties to a variety of financial and legal requirements. At a minimum your profile should incorporate the following contractual information:
- Contract owner
- Type of agreement (master services agreement, statement of work, addendum, etc.)
- Brief description of the contract
- Start and end dates
- Auto renewal provisions
- Termination requirements
- Notification dates for termination
- Service level agreements
3. The Third Party Risk the Vendor presents
The third component of a complete vendor profile is the identification of the key risks presented by the relationship. Each third party presents a different level of risk when it comes to risk areas such as reputation, operations, transactions and information security. Identifying the risk associated with each vendor by conducting a risk assessment will provide visibility into the appropriate level of due diligence and oversight you need to maintain.Some of the big risks you want to evaluate and capture as part of your vendor profile include:
- Does the third party collect, store and/or process confidential or sensitive data (e.g. nonpublic information)
- Will they be using subcontractors or other suppliers/services providers (i.e. fourth parties) in their delivery of services to you?
- Are they on any excluded parties or sanctions lists?
- Are any key executives on politically exposed persons (PEP) lists?
- Is there any pending litigation or bankruptcies that could impact the health of their organization?