Using Third Party Risk Management

The Third Party Risk Management use case supports the following processes.

On this page

Third Party Risk Management Processes

Swim lane diagram of the Third Party Risk Management use case

Analyzing Residual Risk with Engagement Risk Assessments

The Engagement Risk Assessment questionnaire enables you to assess residual risk based on controls that your third party has in place to mitigate risk exposure. The questionnaire is generated based on the responses in the Inherent Risk Analysis for each risk category. When you generate an Engagement Risk Assessment, the system automatically calculates the residual risk for each risk category being assessed.

Engage for Vendors

You can use Engagement Risk Assessments with or without the Archer Engage for Vendors.

Engage for Vendors is an external portal that enables your vendors to securely answer questionnaires outside of Archer. You must install the Engage for Vendors Service and update your use case license key to publish questionnaires to Engage for Vendors. For more information about installing and configuring the Engage for Vendors Service, see the Engage documentation.

Use the Engagement Risk Assessment questionnaire with Engage for Vendors

  1. Create an Engagement Risk Assessment questionnaire.

  2. Publish an Engagement Risk Assessment questionnaire to the Archer Engage for Vendors for your third party contacts to complete.

  3. Review an Engagement Risk Assessment questionnaire by evaluating answers, and generating any findings, remediation plans, or exception requests as needed.

  4. Approve or reject the questionnaire.

  5. Analyze the calculated residual risk for each risk category based on an Engagement Risk Assessment questionnaire.

Use the Engagement Risk Assessment questionnaire without Engage for Vendors

  1. Generate an Engagement Risk Assessment questionnaire.

  2. Complete an Engagement Risk Assessment questionnaire by answering the questions in each risk category being assessed.

  3. Review an Engagement Risk Assessment questionnaire by evaluating answers, and generating any findings, remediation plans, or exception requests as needed.

  4. Approve or reject the questionnaire.

  5. Analyze the calculated residual risk for each risk category based on an Engagement Risk Assessment questionnaire.

Analyzing Resilience Ratings with Third Party Resilience Assessments

The Archer Third Party Resilience Assessment questionnaire process flow is depicted in the diagram below.

Third Party Resilience - Assessment questionnaire process flow

The Third Party Resilience Assessment questionnaire enables you to score the risk of third parties across 5 categories – Cyber, Facilities, IT Infrastructure, People, and Suppliers. After all questions are answered, the system automatically calculates the resilience rating for each category being assessed.

Engage for Vendors

You can use the Third Party Resilience Assessment with or without Engage for Vendors.

Engage for Vendors is an external portal that enables your vendors to securely answer questionnaires outside of Archer. You must install the Engage for Vendors Service and update your use case license key to publish questionnaires to Engage for Vendors. For more information about installing and configuring the Engage for Vendors Service, see the Engage documentation.

Use the Third Party Resilience Assessment questionnaire with Engage for Vendors

  1. Create a Third Party Resilience questionnaire.

  2. Publish a Third Party Resilience Assessment questionnaire to Engage for Vendors for your third party contacts to complete.

  3. Review a Third Party Resilience Assessment by evaluating answers, and generating any findings, remediation plans, or exception requests as needed.

  4. Approve or reject the questionnaire.

  5. Analyze the calculated resilience percentage for each category based on a Third Party Resilience questionnaire.

Use the Third Party Resilience Assessment questionnaire without Engage for Vendors:

  1. Generate a Third Party Resilience Assessment questionnaire.

  2. Complete a Third Party Resilience Assessment questionnaire by answering the questions in each risk category being assessed.

  3. Review a Third Party Resilience Assessment questionnaire by evaluating answers, and generating any findings, remediation plans, or exception requests as needed.

  4. Approve or reject the questionnaire.

  5. Analyze the calculated resilience percentage for each category based on a Third Party Resilience questionnaire.

Analyzing ESG Ratings with the Third Party ESG Assessment

The Archer Third Party ESG Assessment allows you to track the ESG posture of third parties, including compliance with regulations and public disclosures. After you answer questions in the 3 categories: Environmental, Social, and Governance, the system automatically calculates the percentage rating for each category being assessed.

The Archer Third Party ESG assessment questionnaire flow is depicted in the diagram below.

Engage for Vendors

You can use the Archer Third-Party ESG Assessment with or without Engage for Vendors.

Engage for Vendors is an external portal that enables your vendors to securely answer questionnaires outside of Archer. You must install the Engage for Vendors Service and update your use case license key to publish questionnaires to Engage for Vendors. For more information about installing and configuring the Engage for Vendors Service, see the Archer Engage Help.

Use the Third Party ESG Assessment questionnaire with Engage for Vendors

  1. Create a Third Party ESG questionnaire.

  2. Publish a Third Party ESG Assessment questionnaire to Engage for Vendors for your third-party contacts to complete.

  3. Review a Third Party ESG Assessment by evaluating answers, and generating any findings, remediation plans, or exception requests as needed.

  4. Approve or reject the questionnaire.

  5. Analyze the calculated ESG percentage for each category based on a Third Party ESG questionnaire.

Use the Third Party ESG Assessment questionnaire without Engage for Vendors

  1. Generate a Third Party ESG Assessment questionnaire.

  2. Complete a Third Party ESG Assessment questionnaire by answering the questions in each risk category being assessed.

  3. Review a Third Party ESG Assessment by evaluating answers, and generating any findings, remediation plans, or exception requests as needed.

  4. Approve or reject the questionnaire.

  5. Analyze the calculated ESG percentage for each category based on a Third Party ESG questionnaire.

Documenting Third Parties

The Archer Third Party Risk Management use case allows you to document your organization's third party relationships at 3 levels: third party, subsidiary, and sub-subsidiary. The Third Party Profile application is a central repository of all your third parties and includes key aspects of third party relationships, such as relationship contacts, third party external contacts, status, engagements, and risk assessments.

The Third Party Management dashboard provides the executive team with a centralized location for up-to-date reports related to third parties. Review this dashboard for critical third party information, such as third party performance, residual risks, and contracts that are active or expiring. This dashboard gives the executive team insight on which items require immediate action.

Use the Archer Third Party Risk Management use case to:

  • Document a third party profile that describes the business hierarchy of each third party relationship.

  • Review third party reports using the Third Party Management dashboard.

Creating Third Party Engagements

The Engagements application allows you to manage each engagement you have with a third party. A third party may provide multiple products and services to your organization, and engagements help you keep track of each unique product or service. You can also link business units to engagements to record the business context of your third party relationship. Additionally, you can upload third party documents to the Third Party Document Repository.

Use the Archer Third Party Risk Management use case to:

  • Create a Third Party Engagement.

  • Upload and store documents to the Third Party Document Repository to assess third party documents related to engagements at any time during the engagement process.

Measuring Engagement Risk

Measure the inherent and residual risks for each engagement based on seven risk categories to evaluate third parties that may pose risks to your organization. Inherent risk is the impact and likelihood of a risk in the absence of controls and risk transfer.

Measure residual risk to evaluate controls that are in place to mitigate inherent risk for each risk category.

You can also generate Engagement Risk Assessments for your third party external contacts to complete, which helps you analyze residual risk and generate findings as needed.

The Engagement Risk Assessments can be used with or without the Archer Vendor Portal, which is an external portal that enables your vendors to securely answer questionnaires outside of Archer.

Here are the tasks to measure Engagement risk:

  1. Review the Engagement Risk categories.

  2. Initiate a risk analysis by identifying the risk categories to assess and the key assessors for each set of inherent risk category questions.

  3. Analyze the inherent risk by answering inherent risk questions for each risk category being assessed.

  4. Manually select or allow the system to calculate the residual risk to evaluate controls that are in place to mitigate inherent risk for each risk category.

Engagement risk categories

The Third Party Risk Management use case has seven risk categories that you can assess. These risk categories provide your organization with a broadened perspective of the overall risk that a third party or an engagement presents.

The following table describes the seven risk categories.

Risk Category

Description

Compliance / Litigation Risk

Assesses the risk involved if a third party engagement violates laws or regulations or introduces litigation risk from product or general liability claims.

Financial Risk

Assesses the risk introduced by an engagement through credit, market, or liquidity risk, or as a result of theft.

Information Security Risk

Assesses the amount of risk associated with the compromise or theft of customer, employee, partner information or company intellectual property.

Reputation Risk

Generally a function of all the other risk categories, the Reputation Risk Assessment is a subjective assessment of an engagement and the other risks the engagement introduces.

Resiliency Risk

Assesses the risk to your organization resulting from the interruption or failure of a third party to deliver an engagement.

Strategic Risk

Assesses the strategic importance of a third party engagement to your organization and the effectiveness of that third party in fulfilling your strategic expectations.

ESG Risk

Assesses the potential environmental, social, and governance impact associated with the delivery of an engagement.

Reviewing Third Party Engagements

The Business Unit Risk Manager and Business Unit Manager must review the risk analysis for final approval or rejection of the overall engagement. Once the Business Unit Manager finalizes the approval, the engagement is activated. Then you can perform ongoing monitoring of activated engagements, as expiration and risk reassessment dates approach.

Here are the tasks to review Third Party Engagements:

  1. Perform the initial review of a risk analysis for each risk assessment category on an engagement.

  2. Conduct a final review of the risk analysis and approve or reject the engagement.

  3. Monitor and reevaluate documents and risk assessments and review appropriate dashboards to ensure that engagements are up-to-date, and any findings, remediation plans, and exception requests are satisfied.