Third Party Risk Management Use Case Design

Architecture diagram

The following diagram shows the relationships between the applications in the Third Party Risk Management use case.

Third Party Governance use case architecture

 

Note:  

  1. Any connection to the perimeter of the Third Party Hierarchy means the connection could be to any of the three levels within the Hierarchy: Third Party Profile, Subsidiary, or Sub-Subsidiary.
  2. Findings are automatically generated within Issues Management for all Assessments. Findings can also be generated manually across the solution, where appropriate.

Applications and questionnaires

The following diagram describes the use case applications and questionnaires.

Application/Questionnaire

Description

Engagements

The Engagements application enables you to document all products and services delivered by a third party. You can assign engagements to business units, relationship managers, risk analysts, and to the contracts that establish the terms and conditions of the product and services being delivered.

Engagement Risk Assessments

The Archer Engagement Risk Assessment questionnaire asks the third party to document their internal control environment and provide relevant supporting documentation for further analysis. The results of these questionnaires are factored into a determination of the organization’s residual risk across several risk categories: compliance or litigation, financial, information security, reputation, resiliency, strategic, sustainability, and fourth party risk.

Products and Services

The Products and Services application maintains all products and services provided within an organization. For example, a financial services firm provides a variety of products and services, such as banking, brokerage, and lending services.

Note: The Products and Services application is included in the Enterprise Catalog package.

Question Library

The Question Library application stores assessment questions that you can reference and copy into a questionnaire. Each question is stored as an individual record, and each record contains information including the question and answer text as well as information necessary to display and score the question. Depending on the solution that you have licensed, the Question Library contains a large set of pre-built questions by default. In addition, you can add new questions and store them in the Question Library.

Third Party Document Repository

The Third Party Document Repository application stores documents that a third party provides when completing their Engagement Risk Assessment questionnaires. Examples of this information include SSAE16, PCI Assessments, and Financial Statements. It allows you to store, assess, and update these documents, in addition to building reports. You can access the information in the Third Party Document Repository by doing a search within the Engagements application for a specific document. Tickler files can be set up to monitor reports that need to be updated and collected from third parties on a periodic basis.

Third Party Resilience Assessment

The Third Party Resilience Assessment questionnaire allows you to calculate the resilience percentage of third parties across the following pillars:

  • Cyber Resilience

  • Facilities Resilience

  • IT Infrastructure Resilience

  • People Resilience

  • Suppliers Resilience

The resilience percentage of each pillar is used to calculate the overall resilience percentage of the Third Party. This value is used in combination with scenario results and third party metrics to determine the supplier resilience rating for your organization in the Operational Scenario Analysis use case.

Access roles and record permissions

The following table describes the use case access roles.

Access Role

Description

Third Party: Administrator

Serves as the administrator of the use case. This role has create, read, update, and delete access rights.

Third Party: 1st Line of Defense

Provides the appropriate access levels within the use case to the first line of defense, such as Business Unit Managers. The first line of defense is responsible for reviewing engagements and managing third party termination strategies as needed.

Third Party: Executive Management

Provides the appropriate access levels within the use case to the executive team. The executive team is primarily responsible for reviewing third party reports.

Third Party: External Third Party

Provides the appropriate access levels within the use case to external third parties, such as the Primary Third Party Contacts, Secondary Third Party Contacts, and Tertiary Third Party Contacts. External contacts are responsible for completing Engagement Risk Assessments.

Third Party: Legal And Procurement

Provides the appropriate access levels within the use case to the legal and procurement team, such as the Procurement Group and Procurement Officer. The legal and procurement team is responsible for creating third party profiles, initiating engagements, and managing contracts associated with third parties.

Third Party: Risk Analysts

 

Provides the appropriate access levels within the use case to risk analysts. Risk analysts are responsible for initiating risk analysis for engagements, analyzing inherent risk, analyzing residual risk, and reviewing external assessments.

Third Party: 2nd Line of Defense

Provides the appropriate access levels within the use case to the second line of defense, such as Business Unit Risk Managers. Business Unit Risk Managers are responsible for the final review stage of engagement risk analysis.

Third Party: Read Only

Provides read-only access to the use case to personas who required limited access, such as a Funding Manager.

For a complete list of access roles and detailed, page-level access rights, see the Data Dictionary.

For a complete list of application record permission fields, including which user/groups fields populate the fields and where the fields inherit permissions from, see the Data Dictionary.

Dashboards

The following table describes the use case dashboards.

Dashboard

Description

Third Party Task Driver

The Third Party Task Driver dashboard contains quick links for frequent tasks and features relevant metrics to the current user, such as risk assessments, engagements, and expiring contracts that are pending action. This dashboard also uses interactive charts to display data, such as third parties by relationship manager and contracts by third party, status, and expiration date.

The Third Party Task Driver dashboard is available to all third party access roles because it is filtered by the current user.

Third Party Process Manager

The Third Party Process Manager dashboard displays items relevant to users such as relationship managers and procurement officers to help them determine how processes are functioning and identify areas for improvement. This dashboard features metrics, such as inherent risks required, residual risks required, and contracts pending review. This dashboard also uses interactive charts to show data, such as third parties by status, engagement inherent risk per business unit, and engagement residual risk per business unit.

Only users that are assigned to the Third Party: 1st Line of Defense, Third Party: Legal and Procurement, or Third Party: Administrator groups can view this dashboard.

Third Party Management

The Third Party Management dashboard provides critical third party information to help the executive team analyze the overall risk of third parties, identify low-performing third parties, and understand how third parties support crucial business processes. This dashboard uses interactive charts to display data, such as overall performance rating by third party, third party residual risk, contract distribution by third party, and budgeted vs. actual annual engagement spend per business unit. This dashboard also features metrics for active and expired contracts to give insight on which items require immediate action.

Only users that are assigned to the Third Party: Administrator, Third Party: Executive Management, or Third Party: Read Only groups can view this dashboard.

Data feeds

Note: For instructions on setting up the feeds, see Setting Up Third Party Risk Management Data Feeds.

The following table describes the use case data feeds.

Data Feed

Description

Link Third Party Contacts to Engagement Risk Assessment

The Link Third Party Contacts to Engagement Risk Assessment data feed automatically populates the contacts linked to a Third Party Profile into the target Engagement Risk Assessment when the following criteria is met:

  1. Contacts are populated in the Third Party Profile.
  2. An Engagement Risk Assessment is linked to an Engagement record that is tied to that Third Party Profile.

The data feed can link the contacts from the Third Party Profile level, Subsidiary level, or Sub-Subsidiary level.

Third Party Document Repository Attachment Sync

The Third Party Document Repository Attachment Sync data feed is an Archer Web Services Transporter feed that creates and updates records in the Third Party Document Repository application. Attachments included in submitted Vendor Portal assessments are linked to the corresponding Engagement Risk Assessment record in Archer. This data feed either creates new records in the Third Party Document Repository if no matching document is found, or updates existing records with the newly submitted document.

Data Dictionary

The Third Party Risk Management Data Dictionary contains configuration information for the use case.

You can obtain the Data Dictionary for the solution by contacting your Archer Account Representative (rsa.com/customersupport).