In the third-party risk management process, it is imperative to review the use case and the type of data and systems that will be shared or accessed through the engagement. Understand the scope of the engagement, the potential risks, and impact if things were to go wrong
Here are the steps I recommend following when you are vetting the security and privacy posture of a third party. Before they sign the deal, they require a thumbs up from the person(s) in the organization that manage third party risk. They engage with a few vendors and based on the look, feel, features, and the price they decide on their preferred vendor. The decision to use a particular service or software is often already made before third-party risk management is engaged.Ĭommon process would be that a department head decides they want to hire a service or buy software to solve a business problem.
