We often hear terms like “supplier”, “provider”, “vendor” or “third-party” used indistinctly, as if they are all the same. And while they’re all external entities that have a relationship with an organization, we like to focus on third-parties. We believe this concept is much more powerful than it seems and here’s why.
All vendors, suppliers and providers are third-parties, but not vice versa
Third-party is the broadest concept. It includes vendors, suppliers and providers. Basically, any person or entity that provides goods and services to other entities. They can offer business to business (B2B), business to customers (B2C) and business to government (B2G) business models.
Examples of vendors, suppliers and providers include:
- A law firm
- An outsourced software development company
- A company that sells office equipment
- A finance consultant who advises about mergers and acquisitions
- A research center
What all these have in common is that a transaction is quite clear, as there’s always a product or service being offered – in most cases, in exchange for a fee. Also, this relationship usually involves a direct contract. An organization can (and should) include language that requires the vendor/supplier/provider to meet certain requirements around information security, business continuity, service level agreements (SLAs), etc.
In this way, an organization can control and manage the risk posed by the external entity. But what happens when the organization has a relationship with another external entity that doesn’t necessarily provide a product or service?
Examples of “other” third-parties include:
- A nonprofit who receives donations or is a partner in some way
- Companies that provide products and services to consumers on behalf of an organization (marketing agencies, debt collectors, business partners)
- A government regulatory agency
- A counterparty in a joint venture
A broader understanding for a broader protection
Once it’s clear that every relationship an organization might engage with falls under the umbrella of the “third-party”, the need for a Third-Party Risk Management (TPRM) strategy becomes more important than ever. It means using a broader approach to risk assessments and management across the organization and across its relationships.
While this might also be referred to as Vendor Risk Management (VRM) or Supplier Relationship Management (SRM), we believe Third-Party Risk Management (TPRM) is the way to go for modern businesses.
Outsourcing provides strategic advantages such as cost savings, quick expansion and external expertise, but it also introduces third-party risk and fourth-party risk. Therefore, a holistic view of third-party risk management is the necessary approach.
This not only means building the TPRM program and assessing the risk that arises from outsourcing, but also performing continuous risk monitoring. And, most importantly, realizing every business relationship is a third-party relationship.
To learn how our ThirdPartyTrust platform can help you build a holistic TPRM program, request a demo now: