Third-Party Risk Management:

How to protect your organisation against external risks

Imagine: a major supplier to your company suffers a data breach. Customer data is leaked, the media pounces on the news, and your organisation’s reputation is at stake. Scenarios like this happen more often than you might think. External parties offer enormous opportunities, but they also bring risks.

From IT service providers and SaaS suppliers to logistics partners and raw material suppliers: every collaboration can entail risks, such as cyber attacks, data breaches, negative impact on people or the environment, legal violations, service interruptions, financial instability or reputational damage. In a world where organisations are becoming increasingly dependent on third parties, the importance of insight, control and a structural approach is growing. This is where Third-Party Risk Management (TPRM) comes in.

What is TPRM?

TPRM is the process by which organisations identify, assess, manage and continuously monitor the risks posed by external parties. A well-designed TPRM framework helps prevent unexpected disruptions, ensures compliance with laws and regulations, and strengthens trust – both internally and externally.

Why TPRM is indispensable

The risks of third parties are your risks. A single weak link can seriously affect the continuity, security or reputation of your organisation. At the same time, insight into the chain offers opportunities for innovation and improved collaboration.

A well-thought-out TPRM approach ensures:

  • Insight into and control over supplier risks
  • Protection of data and systems
  • Compliance monitoring and adherence to relevant cybersecurity and privacy legislation, sustainability standards, protection of people and the environment, ISO standards, financial regulations and industry standards
  • Business continuity through timely control of vulnerabilities
  • New opportunities for innovation or expansion through suppliers;
  • Financial protection by limiting fines or damage claims.

The most important TPRM risks

Effectively managing third-party risks starts with understanding what can go wrong. Below are the main risks, with explanations and examples:

  1. Cybersecurity & Data Privacy: threat of data breaches, cyber attacks and unauthorised access to systems and data by third parties. Vulnerabilities arise mainly when exchanging sensitive data or when using shared systems. For example: an external IT service provider gains access to customer data and is hacked.
  2. Compliance & Regulation: suppliers may violate laws and regulations, such as GDPR, DORA, NIS2 or sectoral guidelines. Such violations have direct consequences for the client, such as fines or sanctions.
  3. ESG risks: violations of environmental regulations, human rights, (air) pollution, damage to biodiversity, deforestation, pollution or poor governance by third parties can lead to serious damage to people and the environment, legal claims, market exclusion or loss of image. For example: a supplier causes environmental pollution that puts your organisation in the news.
  4. Operational continuity: disruptions at suppliers can lead to downtime, delays or discontinuity in your own services due to system failures, logistics chains or essential processes. For example: a logistics partner is facing a strike, causing delays in deliveries.
  5. Financial stability: suppliers who are financially vulnerable increase the risk of bankruptcy, default or unexpected price increases, which could result in damage to the client.
  6. Reputational risk: incidents or missteps by third parties can directly damage your reputation. Think of environmental scandals, ethical conflicts or negative media coverage that affects your organisation.
  7. Supply chain dependency & concentration risk: dependency on a single supplier or region can cause vulnerability in the event of disruptions. Opaque supply chains increase risks due to a lack of visibility of subcontractors.

The six building blocks of an effective TPRM approach

A mature TPRM approach is more than a checklist. It is a cyclical process, from intake to controlled offboarding. Here are the six key steps:

  1. Strategic intake: determine your risk landscape

You start with an overview. Which external parties do you work with? What exactly do they deliver? And how critical are they to your business operations?

Standard practices:

  • Make an inventory of all current suppliers (IT, HR, operations, etc.) and partners in the supply chain;
  • Use Inherent Risk Questionnaires (IRQs) to classify suppliers based on business impact, dependency and data access;
  • The outcome of this also determines the risk tier and the difference in approach between low, medium and high-risk vendors.

 

  1. Risk assessment: identify vulnerabilities

Assess the potential risks for each supplier in terms of security, compliance, stability and reputational damage.

Standard practices:

  • Use the results of the IRQ and risk tiering: high risks receive more in-depth assessments.
  • Request statements, certifications and ratings:
    • ISAE-3000/3402 statement;
    • ISO-9001/14001/27001/42001 certificering;
    • Rainforest Alliance or FairTrade certifications;
    • EcoVadis or BitSight rating;
    •  
  • For other risks that are not or insufficiently covered by statements or certifications, questionnaires are sent to the supplier based on known (industry or sector) standards:
    • ISO 27001 (information security);
    • NIST SP 800-53 (cybersecurity);
    • GDPR (privacy);
    • GRI, SDG, UN Global Compact (sustainability);
    • CDP (environment);
    • DORA, PCI-DSS (financial).
  1. Risk management & contracting: convert agreements into protection

Limit risks by taking (joint) measures and setting them out in contracts. This makes compliance and risk management enforceable.

Standard practices:

  • Depending on the type of service, set requirements for cyber security and resilience, human rights and privacy, environment and surroundings, good governance, etc.;
  • Lay down contractually: SLAs, DPAs, audit rights, exit clauses;
  • Develop concrete improvement plans with deadlines.
  • Don’t just impose requirements, but advise, support and invest in companies in the supply chain to achieve these objectives. This may sound counterintuitive, but a healthy supply chain is good for people, the environment and operations.
  1. Implementation & onboarding: safe and pleasant collaboration from day one

Ensure a smooth and secure start to the collaboration, with clear agreements and controlled access.

Standard practices:

  • Use an onboarding checklist with technical and legal requirements;
  • Implement the ‘least privilege principle’ for access to systems;
  • Verify the necessary background checks for personnel;
  • Have suppliers sign all relevant policy documents and explicitly review the zero tolerance policy, e.g. with regard to sexual harassment, human rights, environmental offences, theft and fraud;
  • Review relevant safety requirements, code of conduct and procedures;
  • Ensure a pleasant and respectful working atmosphere;
  1. Continuous monitoring: remain alert to changes

Risks are dynamic. New threats, incidents or changes at suppliers must be quickly identified.

Standard practices:

  • Monitor for data breaches, vulnerabilities, acquisitions or compliance violations;

  • Use real-time alerts, external risk data (e.g. via EcoVadis) and local news (e.g. regarding human rights violations and environmental offences);
  • Exercise the right to audit through on-site visits or audits carried out by third parties , e.g. regarding the situation in the workplace, ISAE statements, ISO 27001 information security and cybersecurity, ISO 9001 process control, Rainforest Alliance certification, etc.;
  • Schedule annual or semi-annual reassessments for critical suppliers;
  • Discuss ESG performance and involve relevant stakeholders in improvement processes;
  • Keep talking to each other, learn from each other and respect each other’s interests. This will create a long-term relationship that delivers value for all parties in the supply chain and has a positive impact on people and the environment.
  1. Exit & offboarding: close relationships securely

Terminate relationships in a controlled manner and prevent access, data or systems from remaining open unnecessarily.

Standard practices:

  • Conduct a contract review covering termination clauses, remaining obligations and SLAs;
  • Terminate access via Identity and Access Management (IAM) systems, rotate digital keys to which the supplier had access and terminate physical access by collecting/deactivating access passes;
  • Verify that sensitive data is deleted and laptops and tokens are returned, and that intellectual property agreements are implemented;
  • Execute transition to any new parties. In cases of high dependency or interdependence in business processes, disentangling and phasing out may be a project in itself;
  • Formalise the departure and communicate this widely, both to express gratitude for the collaboration and to make it clear that the supplier is no longer involved.
  • Document the entire exit process for audit and compliance purposes.

Whether you need process advice, require training or want to ensure full implementation of TPRM, Goal 17 guides you through the entire process, from initial assessment to optimisation. Our solutions take your sustainability and cybersecurity programmes to the next level, seamlessly address specific risks, and offer not only technology, but also a partner who thinks along with you and takes action.

Contact us today at info@goal17.eco or call Michael Oosten (06 1252 1655) or Richard Benningshof (06 8371 6240) to discover how Goal 17 can transform and secure your TPRM processes.