Third-Party Risk Assessment


“The use of third parties is nothing new — companies have worked with suppliers, outsourcers, licensees, agents, and the like for years. What has changed, however, is the frequency and scale of third-party use and the regulatory focus on how organizations are managing third parties to address the inherent risks” (Park, 2015).

Third-party risk is a threat that can result in reputational and financial damages. Many well-managed organizations find it difficult to assess third-party agents. This Third-Party Risk Assessment model is a transparent and collaborative model that makes it easier for organizations to identify vendors and the risks associated with each of those vendors.

This model follows three steps:

  1. Identify third-party vendors and the product/service they are providing.
  2. Rate each third-party based on risk level of the product/service and the level of residual risk.
  3. Create an action plan to mitigate that risk.


The Third-Party Risk Assessment decision model can be used by risk consultants, risk managers, and project managers.


According to research conducted jointly by The Institute of Internal Auditors Research Foundation and Crowe Horwath LLP, more than 65% of organizations rely heavily on third parties. However, despite the common belief that third-party relationships pose a significant risk, almost 80% organizations devote only a small piece of their internal audit resources to assessing third-party risks (The Institute of Internal Auditors, 2014).

“Assessing third-party risks can ensure that the organization is working with reputable, well-managed vendors that follow industry best practices, which strengthens your clients’ confidence in your organization” (Perez, 2016). Assessing third-party risk helps organizations create and manage an inventory of vendors and partners, and their corresponding due diligence, risk assessments, and action plans to reduce and manage risk.


1)     NOODLE & TAG: Identify and categorize the third-party vendors and the product/service they are providing.

2)     COMBINE to eliminate duplicates and move forward with only unique ideas.

3)     MULTI-CRITERIA RATE each third-party based on the risk level of the product/service and the level of residual risk.

4)     SHARE AND DISCUSS RESULTS: Review stakeholder alignment and display a heat map graph to participants.

5)     ACTION PLAN: Develop a specific action plan (or next steps) to mitigate identified risks immediately, as well as over the lifetime of the relationship (i.e., the contract).

This Third-Party Risk Assessment digital decision model is based on a model created and graciously shared by The Mitigate Group.


  • Inventory of third-party vendors and the risks associated with each of those vendors
  • An assessment of risks and unmitigated risks
  • Action plans for mitigating the outstanding risks


This exercise will enable:

Quality - Reduce surprises, gain critical insight into your organization, and proactively manage the third-party risks that impact achievement of strategic goals. Increased perspectives will reduce risk.

Efficiency - Engage busy stakeholders when it’s convenient for them to contribute – 24/7, reducing excessive meetings and bringing the right people to the table.

Engagement - Conversation analytics allow individual stakeholders to understand how they evaluated risks versus how others did, igniting rich discussion and deeper alignment. Provide a safe space for stakeholders to evaluate and provide candid thoughts and rationale.

Agility - Develop a shared understanding about the third-party risks. Evaluate and focus management attention and resources on the most important risks.


Park, K. (2015). Risk angles. Deloitte.

Perez, J. C. (2016). Assessing risk from vendors and other third parties is key to business success. Qualys Blog

The Institute of Internal Auditors. (2014). Managing third-party risks.

RiskFaizan Shoaibpn8, Risk