Some companies are really focused simply on their vendors and some are focused on a broader population. In order to communicate with the business through the third-party risk management round table we came up with these definitions. A vendor is actually fairly easy to spot. Whether or not they're being centrally sourced, you pay them through accounts payable and that's a very good place to start looking to make sure that you've got them all, and it puts controls in place. For the non-vendors, which are relationships like channel partners. You may have resellers in financial services that may include financial market utilities. You could have joint marketing partners, depending on the industry. You could have a very, very large list of these non-vendor third parties.

In all sincerity, the only way you're going to find them is to come out with a good communication package and meet business by business and find out who they're doing business with, and then put in place an onboarding strategy that will allow you bring them in over time. One of the things we're finding is that back to the overall management, the vendors basically side of this can typically be managed by the business with a single overview with a risk-adjusted lens. The non-vendors, the governance and oversight, is going to be much more business specific according to the relationship. Quite often, we'll find appropriate risk management will actually be the co-manager as opposed to, say, a procurement of a third-party risk group. Onto the next slide.

If you think about how you're going to go ahead and achieve the completeness, I really wanted to help you think about some achieving it. Number one, you have to have an inventory. You must know who you're doing business with and you can reconcile them, and then if you can go to into accounts payable and make sure that new relationships don't get onboarded, and that there is a check and balance against statements of work and contracts, et cetera, because sometimes you expand a relationship without realizing you've changed the risk profile. They can be a very good friend. For the non-vendors, basically, you really have to make it much more mandatory because you're not going to see these through a central view so the partners in audit are very good partners as well. That's really a couple of tips that I have. 

This webinar was co-hosted with Linda Tuck Chapman of Ontala Performance Solutions.