Third-Party Management

Strategic Third-Party Management: KPIs, KRIs, KCIs, and the Procurement Lifecycle

Third-Party Management is more than just contract administration; it is a strategic function that directly impacts IT efficiency and security. In this chapter of my portfolio I will highlight my experience in maximizing the value of third-party partnerships within Internal IT. Discover my analytical reports, performance metrics, risk mitigation plans, and insights into building strong, collaborative vendor relationships.

 

Effective third-party management is critical for minimizing risk and maximizing value. This section highlights my approach to monitoring and enhancing third-party relationships through strategic KPIs, Key Risk Indicators (KRIs), Key Control Indicators (KCIs), and a comprehensive understanding of the procurement lifecycle.
 

Key Areas of Focus:

• Third-Party Risk Assessment:

  • Evaluate the risk posture of the supply chain, ensuring balanced risk distribution across all tiers.

  • Assess organizational awareness of third-party threats, tracking the percentage of identified threats.

  • Ensure comprehensive Third-Party Risk Management (TPRM) coverage, including third and fourth-party risks.

  • Monitor and maintain compliance management across the supply chain, tracking and resolving any outstanding compliance checks.
     

Key Performance Indicators (KPIs):

• Risk Management:

  • Average Vendor Security Rating: Measures the overall risk level within the vendor ecosystem. Analyze trends to identify and mitigate high-risk vendor relationships.

  • % of Suppliers by Risk Tier: Enables strategic prioritization by visualizing risk distribution. Ensure granular risk tier distinctions for effective management.

  • % of Providers Failing Initial Risk Assessment: Evaluates the efficacy of risk assessment processes, identifying areas for calibration.

  • Mean Time to Complete Initial Risk Assessment: Analyzes vendor responsiveness and identifies potential process bottlenecks.
     

• Threat Intelligence:

  • % of Third-Parties Monitored with Threat Intelligence: Tracks the scope of monitoring coverage and identifies potential blind spots.

  • Mean Time to Action (MTTA) After Risk Trigger: Assesses incident response efficiency and identifies training or resource gaps.

  • Number of Incidents Reported/False Positives: Evaluates the effectiveness of threat detection and monitoring processes.
     

• Compliance:

  • Number of Third-Parties in Regulatory Scope: Identifies compliance focus areas and resource allocation needs.

  • Number of Outstanding Compliance Requirements: Tracks and resolves compliance gaps, ensuring adherence to regulatory standards.

  • Vendor Due Diligence Completion Rate: Monitors compliance progress and mitigates potential risks.

  • Average Time Between Risk Assessments: Balances audit frequency to maintain vendor relationships and mitigate evolving risks.

​

• TPRM Coverage:

  • Mean Time to Onboard (MTTO): Evaluates the efficiency and thoroughness of the vendor onboarding process.

  • % of Third-Parties Not Monitored: Identifies gaps in monitoring coverage, ensuring all high-risk vendors are observed.

  • Number of Unboarded Suppliers on Payroll: Mitigates risks associated with unboarded suppliers.

​

Key Risk Indicators (KRIs) and Key Control Indicators (KCIs):

• Utilize KRIs to proactively identify potential risks and vulnerabilities, including supplier financial stability, delivery performance, compliance, concentration, and geopolitical exposure.

• Employ KCIs to monitor the effectiveness of risk mitigation controls, focusing on supplier audits, contractual compliance, supply chain visibility, incident response time, and training certification.