Third-party Risk Management

A holistic approach can help mitigate third-party and vendor risk

As organizations gain efficiencies by shifting noncore functions to more experienced providers, they also open themselves up to new sources of third-party risk and vendor risk. What happens to employees’ Social Security numbers and bank account information when those details are shared through the cloud with a third-party payroll processor? Are you limiting with whom and how securely you are sharing customer credit card numbers with third parties?  What happens when you share data with and rely on third-party distributors who handle shipments from China?

How can we help you?

Contact us by phone at 800.274.3978 or request more information by email. 

These and other scenarios only touch upon the many instances where data that once may have been under your full control is now shared with other members of your business ecosystem, and susceptible to vulnerabilities in their organizations.

A holistic approach

At RSM, we take a holistic approach to assessing risks, collaborating with stakeholders throughout your organization to develop a customized approach tailored to your unique third-party strategy and business goals.

Our experienced technology risk advisors work with you, providing advice that will help you optimize your third-party risk management program. Your organization also receives the benefit of legal, financial and cybersecurity specialists who provide guidance throughout the overall third-party risk-management process. Our solutions include:

Vendor management program design. We help you develop processes, policies and procedures for all stages of the vendor life cycle.

Vendor selection and risk assessment. When you identify prospective new vendors, we can assist with due diligence, risk rating and selection.

Contract management. Here we can review various contracts to ensure that you are protecting your organization, including data-security commitments to safeguard consumer information as well as business continuity and disaster recovery agreements to ensure that vendors can fulfill their obligations to you.

Vendor monitoring routines. In addition, we can monitor vendor risk and performance, and review service-level agreements (SLAs), and system and organization control (SOC) reports.

Common third-party risks

Our comprehensive approach to managing third-party risk and vendor risk helps you address major sources of risk, including:

Strategic risk

The risk where adverse business decisions are made or the failure to implement appropriate business decisions in a manner that is consistent with strategic goals.


Compliance risk

The risk arising from violations of laws, rules or regulations, or from noncompliance with internal policies or procedures.

Operational risk

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events made more difficult to manage given third-party processes and systems that increase overall operational complexity.

Transaction risk

The risk arising from a third-party’s failure to perform as expected due to reasons such as inadequate capacity, human error, technology failure or fraud; weak controls over third-party information technology may result in threats to security and the integrity of data or could result in unauthorized transactions.

Reputation risk

The risk arising from negative public opinion, such as third-party relationships that result in dissatisfied customers, security breaches resulting in the disclosure of customer information, or violations of laws and regulations.


The types of risk introduced by third parties simply cannot be fully assessed without a complete understanding of the resulting arrangement. We can help you assess these risks and complete a comprehensive strategy to better manage these risks and third-party processes.

The RSM advantage

While third parties can increase productivity and provide financial benefits, you retain responsibility for their inherent risks.

We have assisted clients who need help:

  • Formalizing or improving processes and controls around third-party and vendor risk management
  • Prioritizing vendors or other third parties for initial risk assessment, data security assessment and ongoing monitoring
  • Conducting internal audits to improve or provide assurance over controls pertaining to third-party systems, vendor management and third-party data security

RSM’s experienced advisors can protect you from violating laws and damaging your reputation by helping you understand your third-party relationship risks and implementing effective controls to increase performance and compliance. We take a holistic approach and design flexible solutions that account for evolving regulatory demands, and increase visibility into your relationships.

RSM’s qualified team of technology risk consultants is uniquely equipped to provide third-party and vendor technology risk consulting services. We provide value-added, high-quality, meaningful recommendations needed to develop and execute an effective third-party risk management strategy. Through decades of successful technology risk consulting experiences, our advisors understand your business and technology requirements, while taking a holistic perspective to address your immediate and future state concerns regarding the effective use of technology across your business. Our people, depth of resources, differentiated third-party risk management methodology and experience in your industry combine to provide comprehensive and effective solutions for your technology risk consulting needs.

We welcome the opportunity to learn about your specific needs and demonstrate our ability to serve them. Please contact us today so that we might begin a conversation.