It is recommended and, in some industries, a requirement for organizations to perform risk assessments of third-parties before the third-party gains access to systems, applications, and/or sensitive information. The main objective of the risk assessment is to gain assurance that the third-party has operational practices that comply with your organization’s security, privacy, technology, regulatory, and business requirements.  

The assessment is an integral component of a third-party risk management program that also includes scoping, business verification, contracting, approval, and monitoring. Although several standards exist, organizations take unique approaches for third-party risk management. For example, some organizations rely solely on legal agreements while others perform lengthy assessment activities.   

It’s important to understand the key components of a third-party risk management program, the pros and cons of each component, and how the process can be applied to suppliers, contractors, and data recipients.   

Regardless of the third-party risk management standard that you follow, they all include the following steps:

Group 2390  Verification  

The first step in the third-party risk management process is to perform a due diligence investigation of the third-party to ensure that you are aware of any business-related issues that may impact your relationship with the third-party. For example, if your policies state that you cannot do business with an organization that is under investigation, then it does not make sense to continue any engagements with the third-party.  

Scoping  

The scoping exercise determines the type of assessments, contracts, and approvals that will be applied to the third-party. The result is the initial or inherent risk level of the third-party.  

Assessment  

The risk assessment can take many forms and should be based on the initial risk rating of the third-party and the organization’s risk appetite. Additionally, some organizations outsource the risk assessment activity, others follow a hybrid model, while others perform all the tasks in house.   

Contracting 

The contracting process can be performed in parallel with the other risk management activities. The goal of the contracting process is to ensure that appropriate safeguards are in place to govern the relationship with the third-party.   

Approval  

The organization’s approval process should be followed consistently and withstand internal and external scrutiny. Approval decisions should be based on the results of the business verification, scoping, risk assessment, and contracting activities.   

Monitoring  

After the third-party is approved, the next task is to monitor the third-party’s compliance with the business, security, and contractual requirements.    

Akoya’s Approach to Third-Party Risk Management  

Akoya’s third-party risk management program is used to evaluate the business, data privacy, technology, and security risks of prospective and current third-parties. Our process is similar to the process described here; however, specific elements are based on our risk tolerance, corporate policies, contractual requirements, and industry standards.   

Not only do we take this approach internally, but we apply the same level of rigor to all third-party management services we provide to our customers. Akoya’s data access network is inclusive of the entire financial services industry and serves fintechs, data aggregators, financial institutions, and credit unions. In this highly regulated yet diverse ecosystem, Akoya’s third-party risk management services ensure both network data providers and data recipients receive a comprehensive, transparent, streamlined solution.  

Third-party operations managed by Akoya include: 

  • Security reviews: We oversee the required third-party non-discriminatory vetting and auditing process comprised of seven security and risk components with annual recertification. 
  • Policies and procedures: Akoya manages the requirements for making data available and responding to access requests and denials on behalf of the data provider. 
  • Legal agreements: By partnering to create relevant terms of access, Akoya administers the contracting process on the data provider’s behalf and escalates to legal teams as needed. 

Recent events have shown that third-party risk management is a critical component of an organization’s risk and security management program. Every organization should implement a third-party risk management program that is tailored to their regulatory requirements, risk profile, and contractual requirements. 

Learn more about the full scope of Akoya’s managed services included in our 1033 Compliant Solution and request a 30-min consultation today.