A third party is a company or individual outside your organization that provides goods and services or performs activities vital to your success. A 3rd party may engage directly with your customers or not.
For instance, a back-end technology third party might provide a platform for your customers, but not communicate with them. On the other hand, some third parties will have direct contact with your customers. Payment processors such as Stripe, PayPal, or Venmo interact with consumers when they make online purchases.
Whether or not they deal directly with customers, 3rd parties are separate entities that play a specific role in the operational and strategic advancement of your organization’s goals.
Some organizations call a third party a service provider. Others may refer to them as “third-party service providers” or simply “SPs.”
The most common way to refer to a third party is as a third-party vendor.
But whatever you choose to call them, vendors or service providers can be broken up into three major categories:
Goods Vendors: A goods vendor specializes in selling and distributing physical products. A goods vendor delivers products to your organization ranging from specialized equipment like ATMs to basic office supplies.
Service Vendors: Unlike goods vendors, service vendors offer expertise to support an organization's strategic business goals. These vendors are critical in addressing an organization’s challenges when they lack specific in-house talent. IT consulting firms, marketing agencies, and legal consultants are among the services an organization may outsource.
Software Vendors: A software vendor provides their products to organizations in various ways, including on-premise installations, Software as a Service (SaaS) over the cloud, and platform-based apps. The relationship between an organization and its third-party software vendor is typically governed by a contract that spells out the duration of the agreement and service-level expectations of performance.
What organizations mean when discussing a third party can be a matter of its function. For example, goods vendors might be called “suppliers” because they supply goods to a company, while a marketing team may be referred to as a “service provider” given that they perform a service.
When you outsource an activity to a third party, this relationship can provide numerous benefits to your organization. These benefits include:
When considering entering a relationship with a third party, you should examine many aspects. First, you must examine your organization’s business case to outsource and document why it makes sense. From there, you can consider potential third-party vendors.
At the top of your list, you should assess the 3rd party’s reputation. How long have they been in operation, and who is their list of clients? Asking for referrals from trusted partners is a great way to select the best third party for your organization.
Possessing a proven history of reliability is essential in third-party selection. You should also consider their ability to meet the demands of your project or activity. If the activity you’re asking of your third party is especially demanding or complex, you need to ensure that your third party can fulfill your organization’s objectives.
Making the right choice with a third party means considering the provider's history and how this aligns with what you need.
To guide your decision, here is a list of some considerations:
This early vetting process is no substitution for thorough due diligence, a topic we’ll address later.
Using a third party for certain activities can pose several disadvantages. You can climb these hurdles, but you need to be aware of them before entering a third-party relationship.
First, your direct oversight into the quality of your third party’s service or product may not be what you want it to be. When you decide not to do an activity in-house and instead contract with a third party, you need to evaluate the quality of their services and products regularly.
Then, there’s the matter of cost. Sometimes, organizations find bringing an activity in-house is more cost-effective. You and your customers may also not receive the standard of support you’ve come to expect.
Most importantly, you must ensure you’re aggressively monitoring risks associated with your third parties. Vendor risk management is essential to maintaining the integrity of all your third-party relationships. From data breaches to compliance violations to consumer harm, there are many ways a 3rd party vendor relationship can harm your organization.
While there are many advantages to outsourcing some of your activities to a third party, it also comes with increased risk.
Vendor risk management is a systematic approach to address the uncertainties of collaborating with suppliers. This approach begins with an initial evaluation of the vendor (due diligence), extends through contract negotiations, and includes ongoing monitoring throughout your organization’s partnership with a third party.
Managing vendor risk has five distinct stages:
Not every third-party relationship produces the same level of risk.
The size of your organization’s third parties matters less than the specifics of your relationship and how critical their activities are. The more access your third party has to your organization’s confidential and sensitive information, the greater the risk.
And the greater the risk, the more due diligence you must conduct in onboarding and monitoring third parties.
Critical activities are defined as those that:
Organizations will take a different approach to managing the risks associated with third-party relationships – some will focus on individual vendors, while others may classify risk by activity.
Whether your organization assesses risk by vendor or activity, you must have a sound methodology and a complete and comprehensive vendor management program in place.
Your organization outsources its activities to third parties, and so do your vendors. Your vendor’s vendors are called fourth-party vendors. Fourth-party vendors can go by many names – providers, strategic partners, etc. – and offer payment processing, mobile apps, and many other services.
Your organization isn’t simply responsible for what your vendors do, but also what your vendor’s vendors do. In short, the more vendors your vendors use, the greater the risk to your institution.
What about fifth-party risk? Or sixth-party risk? There is seemingly no end to the risks posed by third-party vendors and their vendors – or their vendor’s vendor’s vendors.
Whether you handle an activity internally or outsource it, you’re responsible for managing and mitigating all the risks associated with your vendors and their third parties.
Too many organizations neglect to manage their third-party relationships actively, and this can cause big trouble.
Just ask the folks at ACI worldwide.
Recently, the Consumer Financial Protection Bureau (CFPB) took enforcement action against ACI Worldwide, which provides real-time payment processing. ACI initiated roughly $2.3 billion in unlawful payments for half a million homeowners of the mortgage service provider Mr. Cooper.
In processing fraudulent and unauthorized payments, homeowners with mortgages serviced by Mr. Cooper were hit with overdraft fees from their banks, and the CFPB handed ACI a $25 million civil penalty.
Additionally, Mr. Cooper suffered significant reputational damage because of ACI’s failure.
Successfully managing third-party risk requires your organization to have a complete view of all vendors. Their financial status, continuity plans, and information security systems can directly impact your business.
With Ncontracts’ powerful Nvendor solution, your financial institution can uncover risks and reduce costs.
Nvendor gives you the ability to:
Collaborate with team members to reduce costs: Keep your compliance teams on track with better communication. When you centralize your vendor management system, the heads of departments at your financial institution can easily create plans, assign tasks, schedule employee training, and automate updates and reminders across your institution.
Ensure third-party compliance: With Nvendor, your financial institution will always be exam-ready. Create plans and procedures to organize critical documents and receive alerts and reports that can be pulled up in seconds to meet examiner request.
Manage the lifecycle of your vendors: Our easy-to-use software dashboard empowers your organization to store, track, and manage each aspect of vendor management – from initial vendor selection and due diligence to ongoing monitoring to contract termination.
Deploying Nvendor gives your financial institution everything it needs to manage your third-party vendors with easy implementation.