Hi,
To determine if a third party should be considered in a third-party risk management program, it is necessary to establish criteria for what constitutes as an in-scope vs out-of-scope vendor.
I've provided a list below to help enable you as you include those relevant third parties while excluding the others based on clear criteria:
In-Scope Third Parties
The third party or vendor directly provides a tangible product or service to your organization or customers
- There's a written agreement detailing the product or service, cost, responsibilities of both parties, and termination conditions
- Your organization directly influences and manages the relationship
- There are documented service level agreements related to the delivery and quality of the product or service
- Invoices are provided, reviewed for accuracy, and approved before payment
- The inherent risks or the dollars spent are significant and should be actively monitored and managed
Out -of-Scope Third Parties
- Government entities
- Payee relationships
- Travel and Entertainment
- Sponsorships and donations
- Public Utilities
- Industry group memberships
Note: Subscriptions are an excellent example an outlier because this category does not fall neatly into Either-Or approach.
Regarding social media companies, if you are merely subscribing to establish an online presence and your organization will create and monitor posts, then you can probably exclude them from your third-party risk management program. However, if you are purchasing data services or placing ads, then those third-parties should be in-scope for your program.
Hopefully this information facilitates your decision on whether to include social media companies into your program.
I'd be interested to hear what others think!