• Issues

Third-party risk

Many companies are gaining a competitive advantage in today's dynamic business environment by outsourcing critical business functions to third parties. But as more companies enter these relationships, their control environment is being relinquished to others. These partnerships can be critical to growth, but must be managed in an ongoing and proactive manner. Grant Thornton LLP professionals help clients address the process, technology, governance and culture to measure, mitigate and monitor third-party risk and grow their businesses with confidence.

How we can help

Organizations need to establish a framework for risk assessment that is effective yet flexible enough to recognize that not all risks are created equal. The best approach is to perform due diligence on the front end when relationships are established, as well as continuing to monitor the relationship to ensure compliance with the agreement.

A good place to begin assessing risk is by defining the risk universe. It is important to formulate a complete picture of third-party relationships within an organization by including all relevant areas of the business-internal audit, finance, compliance, legal, procurement and business operations. The information that is gathered can also feed into other governance, risk and compliance efforts, which include the formulation of the internal audit risk universe and annual internal audit plan.

There are various techniques that can be used to mitigate risk when doing business with third-party vendors, but it is important to know what level of assurance is needed. The level of assurance depends on multiple factors, including the nature of the business, your risk appetite, type of relationship, and the industry, as well as other factors. Some risk mitigation techniques along this risk continuum are:

  • Transaction monitoring
  • Increased data analysis and reporting
  • Contract renegotiation
  • Independent reviews
  • Audits
  • Site visits
  • Questionnaires
  • Maintaining a good relationship with your third parties

A Service Organization Control (SOC) report is a common risk mitigation technique used when an organization wants or needs a high level of assurance. In order for this report to be useful, it is critical to know what to look for and confirm that it addresses the right controls. It may be necessary to seek additional information regarding the services provided by your third parties, such as a right-to-audit clause, if a SOC report does not meet your needs.

Continue to monitor these relationships to make sure the party is compliant with the agreement set forth or with any regulations with which you must also comply. It is critical to create a plan on how you will manage third-party relationships for the life of the contract.

Our fully integrated Third-party Integrity Framework offers a third-party onboarding process, including a risk assessment and due diligence process; a web-based tool to monitor transaction activity; training or ongoing management of the customized framework; and access to industry-leading specialists in fraud and corruption across a global network. It will leave you with the focus, visibility and confidence you need to continue growing your business.

Webcast replay

Third-party risk management

Learn how to manage your third-party risk effectively, confidently and efficiently.

Third-party compliance

Take a proactive approach

Companies must be vigilant in managing emerging risks that affect their third-party relationships and contracts governing them.


Monitor third parties

We can help you mitigate the risk of third-party relationships and protect the integrity of your business while you pursue growth.