The Do's and Don'ts of Third Party Risk Management

The Do's and Don'ts of Third Party Risk Management

| Don Halliwell

By Don Halliwell

Third party risk management is a critical component of any organization’s security program. As organizations expand their operations, they may rely more on outside vendors to provide services that they cannot or do not wish to provide themselves. It is important to understand the risks associated with these third parties and take steps to mitigate them. Here are some do’s and don’ts when it comes to third party risk management.

Developing a Strategy

Developing a comprehensive strategy for third party risk management should include assessing the current state of the third-party’s security posture, identifying potential risks, and then taking steps to mitigate those risks. This may involve implementing specific policies and procedures for handling data shared with or obtained from the third-party, as well as conducting regular review meetings to ensure that any new information is properly evaluated and responded to promptly. A good risk management plan should be regularly reviewed and updated when necessary to ensure it remains effective against changing threats.

Training Your Staff

It is also important to train your staff on how to recognize and respond to risks associated with third parties. Proper training can help reduce both direct and indirect costs related to handling data shared with or obtained from a third party. It can also help prevent costly mistakes by ensuring your team understands the importance of maintaining an effective risk mitigation strategy at all times. Additionally, educating staff on industry best practices will equip them with the knowledge they need to identify potential issues before they lead to costly problems down the line.

Tracking Compliance

Monitoring compliance with established standards is key when managing risk related to third parties. The process should involve tracking changes in their controls, procedures, and operations over time in order to identify any deviations from established standards or other concerns that may arise. Organizations should also have systems in place that allow them to quickly detect any issues that may arise so that corrective measures can be taken as soon as possible. Additionally, organizations should maintain records of all records and communications related to third-party relationships in case there are discrepancies or questions later down the road.


1. Have a thorough understanding of the third party’s operations, such as their software, processes, procedures, and controls.
2. Recognize that the risk can change over time and be aware of ways to address it if necessary.
3. Conduct proper due diligence on the third party to ensure they are providing quality services
4. Review contracts thoroughly to clearly determine responsibilities
5. Keep up with relevant certifications or licenses the third party might need
Use a combination of physical and IT security measures


1. Take shortcuts when it comes to due diligence
2. Rely solely on IT solutions
3. Overlook any relevant certifications or licenses the third party might need


It is important for organizations to properly evaluate potential risks associated with each third party supplier before engaging in any relationship with them, regardless of how well you may know them personally or how convenient their services may be for your business needs. Adopting an effective strategy for managing third-party information security risk can help ensure that no hidden risks emerge after engaging a new vendor or service provider.

You might also like