There are two questions here that must be asked first.
- Why is the third party out of scope
- What is the risk associated with the relationship?
For example, the relationship with a government agency is not based on your organization's need for products and services but rather is required to obtain licensing, pay taxes, etc. Therefore it is out of scope. Yes, it should be included in your third-party inventory, but with only basic contact information collected.
With office supplies, it may fall out of scope because it is low spend and low risk. However, there may be SOME risks associated with the relationship. Suppose you purchase from a small local office supply store; you may want to run an OFAC report to confirm the owners are not on a sanctions list.
The most important concept here being out of scope means the normal TPRM processes do not apply. So, suppose there is a risk (even if it is low). In that case, you may want to re-evaluate if the third party should be back in scope and following due diligence for the appropriate risk level.
Those are my thoughts on the matter, but I would love to hear ideas from other members as well.
Original Message:
Sent: 07-08-2021 02:31 PM
From: Anonymous Member
Subject: Out of Scope Third-Parties
This message was posted by a user wishing to remain anonymous
Hello!
I was wondering what information others gather for third-parties that are Out of Scope (i.e. government agencies, utilities, office supplies, etc.)? Do you only gather the documents needed for vetting, or do you dig deeper?
I am working on including how to handle Out of Scope vendors in our TPRM policy and want to make sure we are gathering sufficient documents.
Any advice would be appreciated!