Managing Third Parties and their Risks (TPRM)
QuartzIQ allows you to perform Third Party Risk Management (TPRM) by enabling your organization to centrally document and oversee all third-party relationships. You can effectively identify, monitor, and manage risks associated with external vendors, partners, and suppliers directly within the platform.
You can also easily implement standardized, recurring assessments for third parties through customizable Control Forms tailored for various needs, such as Know Your Supplier (KYS) processes, cybersecurity evaluations, and compliance checks, ensuring robust due diligence before and during business relationships. Additionally, you can seamlessly document and track third-party controls, ensuring comprehensive oversight and streamlined compliance.
You must have the iq-thirdpartymanagement application role in order to manage third parties.
Documenting Third Parties
As stated above, QuartzIQ allows you to document and manage third parties. In order to manage third party risks, you must first create them in the platform.
In order to do so, click on the Create button in the top bar and select Third Party.
This should open a stepper with all required information to create a Third Party, such as the name, the people in the organization or even the Parent Perimeter (you can decide to create the third party in a specific perimeter in order to define with who the third party is in contact). Please note that you can also add an external contact such as the business owner once the third party has been created.
Once it is created, you should be redirected to its details page which will show all its information including the members (owner, delegates, data managers, performers), the risks linked to it, its controls, control programs, etc.
You can manage all these aspects in the same way as Perimeter. Please refer to the specific articles.
You can now also add a contact to the third party by clicking ... > Edit Contacts.
Linking Risks to Third Parties
As stated before, you can manage different aspects of the third party including its risks.
In the third party details page, you can go to the Risks tab. This will present all Risks associated with this third party.
In this tab you'll be able to add new risks with the link risks button and unlink risks.
While you can link risks to third parties, you cannot perform RCSA risk assessments on these third parties.
Creating Third Party forms/assessments
As stated in the introduction, you can also implement standardized, recurring assessments for third parties through customizable Control Forms tailored for various needs, such as Know Your Supplier (KYS) processes, cybersecurity evaluations, and compliance checks.
This is done by creating Control Forms directly within the third party.
In the third party details page, access the Controls tab and click on create Control (you must be Data Manager on the third party). You should now view all types of controls you can create in this third party. In our case, we want to create a Control Form.
Once it is created, you will then be presented with a Control Form for your specific need. You can now configure it as per your needs (KYS, cyber, etc.).
Please refer to the Control Forms article to find out how to use and customize Control Forms for your needs.