Using Third Party Governance

The Third Party Governance use case supports the following processes.

On this page

Third Party Governance Processes

The Archer Third Party Governance use case is built to enable the following processes.

The Third Party Governance Swimlane Diagram

Creating and Associating Third Party Metrics

The Archer Third Party Governance use case enables you to measure engagements and contracts by identifying key metrics in 4 categories: quality, innovation, strategic, and relationship. You can create a library of third party metrics to use multiple times across various engagements or create individual third party metrics as needed.

Through the Third Party Governance use case, you can:

  • Populate the Third Party Metrics Library by documenting all the SLA and performance metrics that your organization uses to evaluate third parties.

  • Use the Third Party Metrics Library to associate metrics to active engagements. The system makes a unique copy of the existing metrics library that you select, and when the Generate Third Party Metrics data feed runs, it automatically populates the copied metrics into the engagement.

  • Automatically generate Third Party Metrics Results. When the Third Party Metrics reaches its measurement date the Generate Third Party Metrics Results data feed automatically generates a Third Party Metric Results record for collection.

  • Collect Third Party Metrics Results using Archer Engage for Business Users.

Measuring Third Party Performance

After you create metrics and associate them to engagements, you can measure third party performance in 4 metrics categories: quality, innovation, strategic, and relationship. Metrics results roll up to the associated engagement record to calculate a performance rating for each metric category being assessed. The average results of all the engagements are calculated in the associated third party profile. If a third party does not meet your standards, you can address those deficiencies by generating findings, remediation plans, and exception requests.

Here are the tasks to measure third party performance:

  1. Select any inactive metrics loaded in an Engagement and activate those metrics to collect the results. You may also adjust weights and other metric values when you activate the metric.

  2. Collect the metric results over time to determine how a third party is performing based on the criteria you defined.

  3. Review dashboards and the performance scorecard in a third party profile to identify whether the third party is performing below the defined threshold, and address those deficiencies, as needed.

Bulk Assessment Generation Using Third Party Campaign

The Third Party Campaign application is used to bulk create Zero-Day Vulnerability or Location-Based Risk assessments. The application allows users to document high level information about recent software vulnerabilities or geographical risk events, and choose which Third Parties will be the target of the assessment. A data feed will then generate assessments for each Third Party selected in the record.

To bulk generate assessment records complete the following steps in the Third Party Campaign application:

  1. Enter the Campaign Name and Due Date.

  2. From the Assessment dropdown select the assessment you want to bulk generate.

  3. In the Method of Collection select if the results will be collected manually. If responses will submitted by vendors using Engage, select Engage for Vendors.

  4. From the Third Parties cross-reference, select the third-parties that will be evaluated in the assessment.

  5. Populate details about the event in the Event Information section. This information will be copied into each assessment by the data feed.

  6. If Zero-Day Vulnerability was the selected Assessment, use the Impacted Software Version cross-reference to select or create the impacted Technology.

  7. If Location-Based Risk was the selected Assessment, select the Location and then Region, Country, or State based on the type of location selected.

  8. Once the desired information has been populated, click the save button.

  9. To initiate bulk creation toggle the Create Assessment Flag radio button to Ready and click the Create Assessments button.

  10. Once the data feed has completed an assessment record will be created for each Third Party that was selected.

Zero-Day Vulnerability Assessment

The Zero-Day Vulnerability Assessment is used to determine if vendors have been impacted by the selected zero-day vulnerability, and if so, to what degree.

The assessment has been configured to operate with Archer Engage for Vendors, allowing publication to vendors where the assessment can be completed in a centralized portal. To enable this functionality, expand the Instructions section and select the check box next to Yes, display the Engage Details section. This will display the Engage Details section, which contains the fields required to publish an assessment to Engage.

Third Party Governance - Zero-Day Vulnerability Assessment process flow diagram

Location-Based Risk Assessment

The Location-Based Risk Assessment is used to determine the impact of risk events that have impacted a geographic location. This includes natural disasters, geopolitical events, or the spread of a pandemic.

The assessment is preconfigured to operate with Archer Engage for Vendors, allowing publication to vendors where the assessment can be completed in a centralized portal. To enable this functionality, expand the Instructions section and select the check box next to Yes, display the Engage Details section. This displays the Engage Details section, which contains the fields required to publish an assessment to Engage.