In the vendor management landscape, we see a surge in companies reaching out to help them with the performance of third-party risk assessments. When we talk with these companies, we always want to know what drives them to perform the assessments to understand how we can help best.

We commonly see situations where third-party risk assessments are performed solely because it is necessary for them to be compliant with GDPR. While this is partly true, we at Riskly believe this is not the correct driver.

This brings us to the following misconceptions:

• Third-party risk management is just your respective area of responsibilities
• Privacy is security

Third-party risk management is just your respective area of responsibilities

Third-party risk management is all about reducing the risks of the third party to your organization. When your sole purpose is to address third-party risk management from just your own respective area of responsibility, you are missing other important information. As an example, have you considered the business continuity risks of a certain third party to your organization? Do you have an exit plan in case something happens?

We advise taking into account all relevant stakeholders in your vendor management process. Ranging from security to business continuity to finance and legal. Every organization has different stakeholders and it should be ensured that all are involved otherwise you will never get full insight into the risks of the third party and not have the ability to reduce them to an acceptable threshold.

Privacy is security

Some organizations also seem to assume that when they do a privacy assessment it also covers all aspects from a security perspective and that this assessment isn’t necessary anymore. While it is true that some aspects of privacy overlap with security, a privacy assessment is not the same as a security assessment. This already starts with the main principle of both privacy and security.

Privacy ensures the proper processing, including the protection of personal data, while security is everything about the confidentiality, integrity, and availability of information. It goes without saying that this is a much broader scope than privacy.

What have we learned from this?

Third-party risk management should be addressed from multiple perspectives to understand the risks a third party poses to you as your organization. Based on this complete perspective, the risks can be lowered to an acceptable threshold.

We cannot allow ourselves to focus on one area, because for instance legislation is requiring us to do so. Third-party risk management is all about reducing risks, complying with legislation should not be the primary driver.