7 Best Practices for Successfully Managing Third-Party Risk

Understanding the breadth of risks that comes along with pulling in vendors is the key. For example, Cyber risk permeates this digital theatre, owing to a continued increase in the adoption of data privacy regulations around the world.


As the old saying goes, “You gotta hope for the best, and plan for the worst”. Whether you’re just starting your business venture or have been operating for decades, this axiom holds true from day one. Potential disasters can exist around every corner, and it’s important to be able to project what those could be and how you would handle them.

In fact, it’s how we approach everyday life. If you have an appointment to get to, you don’t want to be late. Let’s say you don’t drive, so you must rely on a third-party service to get you there, a bus, taxi or ride-sharing service. You’re putting your trust in another entity’s ability to get you there on time, but you’ve been doing this long enough to know that stuff happens, and you come up with a backup plan, just in case.

Vendor Risk Management (VRM) can and should be just as focused on mitigating potential issues in maintaining good Governance, Risk Management and Compliance (GRC). In today’s changing landscape of digital transformation, one generally doesn’t spend exorbitant resources on re-inventing the wheel. If a third-party has already come up with an excellent solution integral to your business, using it will get you out of the gate more quickly and save you money.

Understanding the breadth of risks that comes along with pulling in vendors is the key. For example, Cyber risk permeates this digital theatre, owing to a continued increase in the adoption of data privacy regulations around the world. A careful review of your third-party vendors can illuminate risks beyond their own domain, to their vendors, and their vendors and so forth – possibly leading to a need to consider even fourth- or fifth-party vendor risk. What are some of the basic steps you can take to manage these risks?  

Identify all third-party vendors and their contact information.

Maintain a record of every vendor you bring on board, including their contact information, terms of service and other relevant details. If your company has been around for years, you may have this information recorded already, but is it complete? Are the contact details accurate and up-to-date? Do your records accurately represent all of the vendors currently associated with your company?

Gather information about the vendor’s own risk management.

Your third-party vendor is a business as well, selling you a solution that meets your needs. If they’ve been responsible and maintain their own VRM process, you need to communicate with them to determine what steps they take to mitigate a potentially damaging outcome due to a failure of their product. Having this information empowers you to build your own plan to address the impact of such a failure.

Evaluate the risk associated with third, fourth and Nth-party vendor solutions.

As noted earlier, you’re usually working with a third-party because they already provide a solution that meets your needs without having to create your own, and oftentimes that vendor may work with external vendors or suppliers to meet their own needs. Even if you have fully vetted your third-party vendor, can you be sure that the fourth-party vendor is fully vetted as well? Unfortunately, when third and fourth parties are introduced, your organization’s responsibility is not pushed down to the vendors.

Plan how you can mitigate the potential damage as a result of a failure of your Nth-party vendor.

Now that you have plenty of information about your vendor and their own VRM process, you can build a plan to protect your company in a worst-case scenario. In fact, you will want to plan for any level of impact, not just a doomsday scenario. Is this a situation wherein a problem arises that has a low impact on a daily business?

Perhaps it has merely created a bug that’s more of a nuisance than an all-out failure. In the world of instant news via the likes of Twitter and other social media channels, though, a seemingly minor issue can balloon into a public relations nightmare. Planning ahead with steps to mitigate issues on many levels will give you the confidence to address these issues quickly and efficiently.

Plan out your VRM program before selecting a tool.

An optimal VRM program will look different for each organization, it’s important to figure out what success looks like for your organization. As a rule, medium-sized and large organizations will want to stay away from manual processes. Do away with spreadsheets, as they aren’t manageable or scalable. You will want to assess your vendors on a continuous basis, adhering to internal or regulatory changes. If you don’t know what the program should look like, start with a strategizing session to lay out an initial roadmap.

Celebrate the small wins.

Implementing a VRM program can be a massive overhaul. Don’t try to implement the entire program in one go. Instead, prioritize which vendors to assess first, then identify small, achievable milestones that can be accomplished relatively quickly (1-2 weeks). Quick wins will help get buy-in to the program and improve user adoption.

Rinse and repeat.

The final level of managing your third-party risk is to continue doing just that. This is not a set-it-and-forget-it practice. Not only do you need to keep on top of your “tier one” vendors’ risk assessments, but you will also want to continue to drill down to other tiers.

Changes in policy and regulations, both internally and externally, may also affect the level of risk that you’ve already set for a vendor, and it could change your approach to mitigating the outcome. Once you’ve implemented a VRM program and have seen what’s working, you can fill in the gaps and continue to optimize your program.

NewRocket offers services and solutions that can help you streamline this process and stay on top of the changing landscape of Vendor Risk Management. Step away from the spreadsheet. We provide services that make assessing risk and establishing plans and procedures simple, painless and easy to follow through. We also offer workshops that can set you on the right path to building a solid third-party risk plan that integrates with your overall GRC or IRM strategy. Contact us today to find out more.

Want to Learn More? Talk to an Expert
Contact Us

7 Best Practices for Successfully Managing Third-Party Risk

Understanding the breadth of risks that comes along with pulling in vendors is the key. For example, Cyber risk permeates this digital theatre, owing to a continued increase in the adoption of data privacy regulations around the world.

Knowledge Wrap Video

The event provided a vibrant platform for reconnecting with peers, delving into AI transformation, and driving innovation with purpose. Read on to discover how NewRocket made its mark at Knowledge 2024.

What We Learned

From recent insights gathered, we learned that ServiceNow customers are increasingly receptive to adopting AI solutions and ServiceNow has the tools to embrace that head on. However, there's a gap in AI use-cases for more mature users, highlighting the need for a creative approach to accommodate their business needs.

In navigating AI adoption, organizations are challenged to find the delicate balance between embracing innovation and avoiding dependency on emerging technologies. Advisory consulting and trusted guidance beyond initial queries spark interest, particularly around AI's impact on operations. Read our AI blog series to learn more about our approach.

Excitement around GenAI is apparent, with most users eager to explore its potential benefits and invest in quick wins. Notably, advanced use cases like process mining are gaining traction. Key solution themes include interest in native mobile applications, Employee Center migration, and the urgent need for enhanced data capabilities.

Recognitions and Awards

ServiceNow Americas Employee Workflow Partner of the Year

The ServiceNow Americas Employee Workflow Partner of the Year award celebrates Partners' exceptional efforts in enhancing employee experiences through innovative collaborations and technology solutions. Learn More.

UK Public Sector Partner of the Year Award

The ServiceNow UK Public Sector Partner of the Year underscores  Partners' dedication to driving digital transformation and delivering exceptional outcomes for public sector organizations in the UK.

ServiceNow.org Partnership for Good Grant

The ServiceNow.org Partnership for Good Grant highlights Partners' commitment to leveraging technology for social impact and driving positive change in communities around the world. Learn More.

Top 10 Finalist for ServiceNow Best Employee Portal of the Year

ServiceNow's Best Employee Portal of the Year award recognizing Partners' dedication to creating innovative solutions that empower employees and enhance workplace experiences. Learn More.

NewRocket Booth

At ServiceNow's Knowledge 24 event, we connected with 350+ attendees at our booth, showcasing how NewRocket supports organizations on their ServiceNow journey. AI emerged as a key topic, reflecting the growing interest in its potential across businesses. Our strategic advisory approach, FlightPath, aligns technology with business objectives, drawing on our expertise in customer, employee, technology, and security transformation. Plus, we captivated attendees by transforming them into astronauts using AI. See the photo booth results here!

Workshops and Speaking Sessions

Beyond Personas: Developing Holistic Frameworks to Personalize User Solutions

Industry innovation: Consilio’s Transformation Journey on ServiceNow

Dive Into Prototyping to Accelerate Validation With Design Libraries

Make Better Business Decisions by Integrating Risk and Compliance

Participating in ServiceNow's Knowledge sessions and workshops this year was truly enriching. Interacting with customers and partners provided invaluable insights into the future state of ServiceNow and allowed us to have in-depth discussions on how we can collectively offer better experiences across various facets of the platform. From exploring advanced AI integrations to optimizing workflow processes, the conversations were not only enlightening but also inspiring, fueling our commitment to innovation and excellence in the ServiceNow ecosystem. We can't wait to see you next year!

NewRocket Party

Our poolside event at the Capri restaurant in Las Vegas provided a refreshing break from the conference hustle, allowing us to unwind and connect with friends, colleagues, partners, and customers in the cool open air. As the night progressed, we loved creating unforgettable memories and strengthening our bonds within the ServiceNow community.