Coupa Third-Party Risk Management

Request this brief on-demand demo video (7:10) to learn how Coupa helps you assess third-party risk in real-time and automate risk management processes.

third party risk coupa demo

Watch Third-Party Risk Demo Video

Why watch this brief on-demand overview?

Learn how to:

  • Minimize the burdens from mounting regulations
  • Reveal and address third-party risks in real-time
  • Quickly survey your third parties to identify potential risks
  • Eliminate manual processes and continuously monitor and mitigate risk
  • And much more.
Request Brief Demo Video

From Business Continuity to Information Security to GDPR to Anti-Bribery/Anti-Corruption, the burdens of third-party risk and compliance management continue to mount.

With all eyes focused on you in the face of mounting regulations, Coupa helps you get a real-time view of risks from third parties as compliance requirements change.

Request this on-demand demo to learn how Coupa eliminates manual processes and protects your company from third-party risk.

Request Brief Demo Video


How does Coupa minimize the risk from third parties?

Coupa first facilitates the process of assessing what each of the third parties to your business do, why they do it, and how they do it. This enables you to measure the amount of risk that is potentially associated with the companies with which you do business. Once you know who the partner is, what they do for you, and how they operate, you are now set up to detect problems and reduce risk associated with that partner. You can ensure that there are controls in place to control risk with that partner, as well as with any other parties that do business with that partner (fourth parties).

In addition, Coupa helps you to create a third-party risk assessment model for all of your third parties and fourth parties. Coupa will also guide you through the process of continuously monitoring these third and fourth parties so that you are always prepared to detect risks, should they arise. Data collection from this continuous monitoring process happens automatically so that threats can be detected as soon as possible.

Coupa also enables you to quickly and efficiently communicate risk to all of the decision makers in your organization, so that they can stay on top of changing regulations and reduce compliance costs.

What are the various risk domains that companies must consider as they seek to mitigate third-party risk?

The various risk domains include:

First, InfoSec compliance requires companies to protect sensitive information and your reputation. Companies have unfortunately experienced all too often the importance of maintaining the security of their intellectual property, data, and other important information. By maintaining effective controls over your information and by digitizing your processes, these risks can be effectively mitigated.

A second risk domain is privacy, including compliance with GDPR (the EU's General Data Protection Regulation), which requires organizations to document all use of private information of EU residents, including where they obtained the data and how it is shared.

The Anti-Bribery Anti-Corruption (ABAC) is another important risk domain. Companies are accountable for the activities of their third parties, and they may be held responsible for corrupt practices employed by companies with which they conduct business.

Another risk domain is the risk from failures to become more environmentally sustainable. The German Supply Chain Act requires that companies with operations in Germany will be held accountable for any human rights violations of human rights and non-sustainable practices. It is likely that other countries will implement regulations similar to the German Supply Chain Act, exposing many more companies to sustainability risk.

What are best practices for addressing third-party risk?

First, companies must accurately assess their third-party relationships, and this information should be updated through a regular survey of third parties, ideally made simpler through automation.

Second, it is crucial for companies to manage risk proactively by communicating potential risks to all decision makers so that they can pursue corrective action to transition spend away from higher risk suppliers right away, rather than waiting for a disruption that causes the risk to surface.

Third, be sure to gather the right data. It is crucial to know which questions to ask of particular third parties, and it is thus very helpful to have domain-specific templates to gather the data you need to accurately assess risk and ensure compliance.

Fourth, be sure to manage risk across all of the risk domains, including information security, GDPR, Anti-Bribery Anti-Corruption (ABAC), the German Supply Chain Act, and others as they emerge.

A fifth best practice is developing multi-tier risk models. It is no longer sufficient to understand just the potential risks that your partners and suppliers present. You must also investigate the partners and suppliers of your own partners and suppliers.

Another best practice is to ensure that your third parties comply with contractual terms for off-boarding, such as returning sensitive data. It is ideal to have a consistent, streamlined process for termination and transitions, as well as to keep auditable records.

Finally, it is crucial to ensure that all contracts with third parties contain clauses to mitigate risk. Using a contract lifecycle management solution will help to ensure that these risk protections are included in contracts and that contract terms are updated as the potential for various risks evolves.