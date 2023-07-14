As a starting point, organizations may undertake a preliminary self-assessment of third party risk by considering the following questions:

Who are third parties in the organization?

How about relationships between the organization and third parties, and material to the organization?

What governance and control do we have over the third parties? (e.g., staff knowledge and understanding, framework & policy, system/tool, and control processes)

Most organizations encounter with typical Third Party Risk Management (TPRM) challenges and risk landscape as follows:

Limited staff knowledge and know-how, and also scope of risk domains.

Limited scope of third parties under active management (i.e., contingent workforce, subcontractors and intra-company entities not having any oversight).

TPRM is largely considered to be only responsibility of the first line of defence, e.g., basic due diligence during vendor onboarding, particularly for regulated industries.

Insufficient governance and oversight by second and third lines of defence, resulting in limited visibility regarding aggregated third-party risk, and the extent of its concentration, at the organizational level.

Insufficient, incomplete, inconsistent, and disparate data spread across multiple systems, as well as a large extent of manual processing. This may cause ineffectiveness and inefficiency in management.

The assessment of third party risk can be evaluated with “top-down” and “bottom-up” approaches by considering the organizations’ current state in term of people, process, system/tool, in order to apply TPRM framework and related control processes. The advisory team can assist and tailor TPRM advisory or implementation services (fit-for-purpose) to match with the organization’s needs. These services may include third party due diligence process, assessment of risk and existing controls, contract management, third party performance review, quality review on a continuous basis, etc. These actions aim to minimize the organization's exposure to increasing risks associated with third-party services, while instilling long-term confidence with investors, customers, employees, and stakeholders of the organization.

Chinkavin Kittanatchai

CISA, CPA, CIA, CRISC, CGEIT, CISM

Partner | Risk Advisory

Deloitte Thailand

