Risk management is an essential part of supplier assurance.

It is not enough simply to put contractual requirements in place – you must ensure the third parties you use comply with their legal obligations.

For instance, if you are a data controller as defined by the DPA (Data Protection Act) 2018 and GDPR (General Data Protection Regulation), you are responsible for the technical and organisational security measures implemented by any third-party processor you use and will be subject to regulatory action in the event of a breach.

If you need help carrying out risk assessments on third parties – whether as part of the due diligence process, supply-chain risk management, vendor risk management or third-party processor risk management – DQM GRC’s experts can help you at every step.

Bespoke consultancy services from DQM GRC

Risk assessment process

The risk assessment process typically entails five steps:


Establish a risk management framework

This involves developing the rules you will use to manage your risks, from establishing your baseline security criteria and risk appetite to calculating the likelihood of the risks occurring and their likely effect.


Identify risks

The most time-consuming part of the process, this involves auditing the third party to determine the data assets it holds and the risks that might affect those assets.


Analyse those risks

Vulnerabilities should be assessed for each data asset, and impact and likelihood values assigned to each.


Evaluate those risks

Your risks should then be evaluated according to your risk appetite and the extent to which they are acceptable.


Select and apply risk treatment options

There are generally four ways of treating risks:

  • Treat the risk by applying security controls.
  • Tolerate the risk if the chances of its occurring or potential impact are small, or if treating it would be too expensive.
  • Terminate the risk by stopping the activity in question.
  • Transfer the risk by sharing it with a third party, such as by taking out insurance.

Whatever your third-party risk management requirements, we can put together a solution that suits your needs. Get in touch today to find out how we can help.