At what level do you assess the third party?

Assessing a third party across multiple levels captures how risk can vary by governance scope, location, and the function the vendor serves. At the enterprise level, you look at how the vendor fits within the organization’s risk governance, policies, and overall risk appetite. Geographic considerations focus on the places where the vendor operates or processes data—regulatory requirements, data residency, cross-border transfers, sanctions, and country-specific risks. The service or business line level examines the specific functions the vendor performs for you, the types of data involved, the criticality to your processes, and the controls tied to those particular services. A vendor may pose different risk profiles in different regions or for different services, so evaluating across all these levels provides a complete picture. This holistic view informs appropriate due diligence, contract terms, and ongoing monitoring.