Skip to main content

How Do You Measure Third-Party Risk?

June 06, 2014

How often do thieves use the front door to commit a robbery? I don’t know from experience, but I’ve been told that most go through a window or back door. Third parties can be the back door of a company, and increasingly the source of security failures, financial difficulties, and other problems that disrupt business for the primary organization.

Organizations large and small can have hundreds or thousands of third-party relationships—lots of windows and back doors. Each third party brings with it some level of risk. Now, companies must find a way to secure all these points of entry without breaking the bank.

The good news is that some third parties don’t require total scrutiny. Your HVAC vendor may not require the same onsite audits as your data center provider. The best defensive strategy is to match your due diligence to the level of risk of each third party.

Keep in mind that assessing third-party risk is not an exact science but it can be measured. There are different types of risk—what we want to first measure is inherent risk—the exposure from a third-party relationship. It is the sum of relationship risk and business profile risk.



•  Relationship risk looks at the type of service a third party provides, how strategic that service is to the company, and the type of data they are handling (e.g. the data service provider versus the HVAC vendor).



•  Business profile risk focuses on who the third party is and the risk they pose. Are they financially stable? If they’re located overseas, what’s their country’s risk rating?

Once you know the inherent risk of a third party, you can place it in one of three risk tiers.

1.  Tier 1 includes strategic accounts, such as the core technology provider for an OEM. Their failure to deliver could shut your business down or a breach could cause significant legal and reputational harm.

2.  Less critical, third parties in Tier 2 still have the power to halt business, at least temporarily—for instance, an e-mail provider or call center.

3.  Third parties in Tier 3 pose the least risk because they don’t handle sensitive data or provide services that drive revenue.  Don’t forget that Tier 3 third parties do pose some risk and should not be completely ignored. Even an HVAC provider with access to the internal supplier portal can present a risk to the organization.

Once you’ve categorized each third party into a risk tier, you can do the right amount of due diligence for that third party. No need to assign a guard dog to the small basement window if thieves don’t even know it’s there.


At the same time, you still want to make sure common business controls are in place before signing the contract—like a padlock on the basement window. You can also reduce risk by requiring higher-risk third parties to strengthen security controls or change contract terms.

In another blog post, we’ll discuss when to review the security controls of a third party and how in-depth they need to be. Your organization deserves the best level of protection possible; however, you don’t want to go out of business providing it.

Related Blogs

April 25, 2018

Five Application Security Best Practices for Serverless Applications

Serverless architecture enables applications to be developed and deployed without management of the underlying host or operating system. Instead of a ...

See Details

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

November 09, 2017

Third-Party Breaches Will Continue Until Morale Improves

I have some bad news for you: breaches at third parties are not going to stop – not any time soon. Various studies show that somewhere between one-thi...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

September 12, 2017

Third-Party Risk Program Assessment

Learn how to build a solid foundation for your third-party risk program.

See Details

June 10, 2016

Enterprise Risk and Compliance

Optiv’s enterprise risk and compliance services help you identify, mitigate and manage your organization’s cyber security risk.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.