What is third-party risk expansion and why is it a risk in compliance? Historically, people talked about simply an entity outside of your organization as a third party. However, that definition is broadening, to mean really that entity with which your company works. Obviously, this can be a supplier or vendor, it can be a service provider, a customer, a joint-venture (JV) partner and/or an intercompany affiliate. A broader view could include intercompany affiliates as third parties, even though many people would see them as just being another entity inside of a business. As the definition of third parties expands, this only makes life more complicated for anyone trying to do third party risk assessments and then the tiering just creates an exponential change.

Previously, a tier one supplier was a direct counterparties to your organization, directly through the sales channel. Next a tier two was one that your company’s tier one counterparty is working through. This means for risk managers assessing the various risks now have to go deeper and deeper. One way to do so is through trying to understand the connection between tiers one, two, three, four and so on. The problem is there are many risks that companies do not manage this risk because they cannot identify which companies are taking risks, alleged on their behalf. One of the most difficult issues for compliance professionals and risk managers is trying to get their arms around how to handle this issue.

You should begin with mapping out and understanding the third-parties whose exposure needs to be assessed by your organization.  Obviously, this includes both direct and indirect third-parties but in terms of the tiering, the best way for anyone to understand the risk is to have really good communication with their tier one third-parties to be able to discuss the risks to both businesses.

Three key takeaways:

  1. Has your third-party risk management program expanded with your third-parties?
  2. Why is transparency a key for third-party risk management?
  3. What is the financial health of your third-parties?