You probably already classify third parties based on certain risk indicators – their size, the size of the contract, the types of data they process, their reputation, their ability to provide service continuity, etc.
You may also have regular risk based reviews of some/all of them (but hopefully not relying on these types of reports).
Such risk oversight is often the domain of the CPO or similar. This can lead to a focused risk assessment – and not necessarily spanning the broader enterprise objectives; for leading organisations, however, the management of 3rd party risk is shifting from being reactive and internally focused to being more proactive and customer focused – i.e. ensuring alignment with customer expectations and objectives.
In particular then, does your risk assessment and response consider:
- how close to your customers the third parties actually are?
- whether the 3rd party will interact directly with your customer? If so, what’s the potential impact (positive or negative) of those interactions?
- whether the 3 parties (your customer, you, the partner) will comfortably fit together?
If you partner with a 3rd party (e.g. white labelled products/services), the additional dimension – direct customer contact – could be more important than any of the others.
As a customer focused organisation, you want to ensure that your customers continue to receive the high levels of service (and experience) quality that you are known for and work hard to deliver consistently.
What this means is that your assessment must also consider:
- how the potential partner treats their customers
- how complaints will be handled – i.e. will you field and resolve customer complaints?
- how you will ensure that the potential partner is notified when relevant customer changes occur (e.g. when phone numbers or email addresses change, or even when living status changes occur)
- equally – how the partner will notify you if they find out about such changes first
What else do you consider when evaluating customer-facing 3rd party risk?