Using Third Party Risk Management

On this page

The Archer Third Party Risk Management use case is built to enable the following processes.

Swim lane diagram of the Third Party Risk Management use case

The Archer Third Party Resilience Assessment questionnaire process flow is depicted in the diagram below.

Documenting Third Parties

The Archer Third Party Risk Management use case allows you to document your organization's third party relationships at three levels: third party, subsidiary, and sub-subsidiary. The Third Party Profile application is a central repository of all your third parties and includes key aspects of third party relationships, such as relationship contacts, third party external contacts, status, engagements, and risk assessments.

The Third Party Management dashboard provides the executive team with a centralized location for up-to-date reports related to third parties. Review this dashboard for critical third party information, such as third party performance, residual risks, and contracts that are active or expiring. This dashboard gives the executive team insight on which items require immediate action.

Creating Third Party Engagements

The Engagements application allows you to manage each engagement you have with a third party. A third party may provide multiple products and services to your organization, and engagements help you keep track of each unique product or service. You can also link business units to engagements to record the business context of your third party relationship. Additionally, you can upload third party documents to the Third Party Document Repository and attach them to engagements at any time.

Measuring Engagement Risk

Measure the inherent and residual risks for each engagement based on seven risk categories to evaluate third parties that may pose risks to your organization. Inherent risk is the impact and likelihood of a risk in the absence of controls and risk transfer. Measure residual risk to evaluate controls that are in place to mitigate inherent risk for each risk category. You can also generate Engagement Risk Assessments for your third party external contacts to complete, which helps you analyze residual risk and generate findings as needed. The Engagement Risk Assessments can be used with or without the Archer Vendor Portal, which is an external portal that enables your vendors to securely answer questionnaires outside of Archer.

Reviewing Third Party Engagements

Once an engagement has been evaluated for inherent and residual risks, it must go through a final approval or rejection process by the Business Unit Risk Manager and Business Unit Manager. Your organization must also monitor activated engagements throughout the engagement life cycle as expiration dates approach.