to select ↑↓ to navigate
Company Playbook

Company Playbook

Company Playbook Data & AI Playbook Delivery Playbook Engineering Playbook Finance Playbook HR Playbook Learning Playbook Marketing Playbook Partnership Playbook Presales Playbook Product Playbook QA & Testing Playbook Sales Playbook Strategy & Advisory Playbook
Edit
Open in ChatGPT
Ask ChatGPT about this page
Open in Claude
Ask Claude about this page

Third-Party Risk Management

Document Control

Item Detail
No. Dokumen POL-LEG-012
Versi 2.1
Berlaku sejak 20 Februari 2026
Review berikutnya 20 Februari 2027
Pemilik Dokumen HR Department
Disetujui oleh Chief People Officer

Riwayat Revisi

Versi Tanggal Penulis Perubahan
1.0 20 Februari 2026 HR Team Dokumen awal - standarisasi format
2.0 20 Februari 2026 AI Audit System Standardisasi Document Control section
2.1 21 Februari 2026 AI Audit System Perbaikan nilai CIRCCA sesuai standar perusahaan

Third-Party Risk Management

Merujuk pada ISO 27001:2022 Annex A.15 (Supplier Relationships), ISO 9001:2015 Section 8.4 (External Providers), NIST Cybersecurity Framework, ISO 27002:2022 Section 6.6 & 6.7

Versi: 2.1 | Berlaku sejak: Februari 2026 | Review berikutnya: Februari 2027 | Pemilik: Operations + Legal

Filosofi CIRCCA

Manajemen Risiko Pihak Ketiga kami didasarkan pada nilai-nilai inti CIRCCA:

  • Curiosity: Proaktif mengidentifikasi dan mengevaluasi risiko dari setiap hubungan pihak ketiga
  • Impact: Pengelolaan risiko pihak ketiga yang efektif melindungi operasional dan reputasi perusahaan
  • Respect: Menghormati standar keamanan dan privasi dalam setiap kerjasama eksternal
  • Courage: Berani menghentikan kerjasama dengan pihak ketiga yang tidak memenuhi standar
  • Commitment: Komitmen pada due diligence yang menyeluruh untuk setiap vendor dan partner
  • Adaptability: Responsif terhadap perubahan profil risiko dan evolusi ancaman dari pihak ketiga

Ruang Lingkup

Aspek Keterangan
Berlaku untuk Semua vendor, supplier, partner, subkontraktor, dan external service providers yang bekerja dengan Divistant
Cakupan Vendor IT (cloud, hosting, security), vendor operasional (office, equipment), vendor layanan (consulting, outsourcing), dan partner bisnis
Pihak terkait Procurement/Operations, Legal & Compliance, IT Security, Finance, Department Heads, Vendor Management

Definisi Istilah

Istilah Definisi
Vendor Pihak ketiga yang menyediakan barang atau jasa kepada Divistant dalam transaksi komersial
Supplier Subset dari vendor yang menyediakan raw materials atau components untuk operasi bisnis
Partner Pihak ketiga yang memiliki hubungan jangka panjang atau strategis dengan Divistant (reseller, integrator, technology partner)
Subkontraktor Vendor yang dipilih dan dikelola oleh vendor lain untuk melaksanakan bagian dari pekerjaan/layanan
Critical Vendor Vendor yang layanannya essential untuk operasi bisnis, atau handle sensitive data/system, atau memberikan unique value
Risk Assessment Proses evaluasi kemungkinan dan dampak dari risiko yang terkait dengan vendor
Due Diligence Investigasi menyeluruh mengenai vendor sebelum engagement atau signing kontrak
Service Level Agreement (SLA) Perjanjian tertulis mengenai standar layanan, responsiveness, dan remedies jika tidak memenuhi standar
Data Processing Agreement (DPA) Kontrak khusus untuk vendor yang memproses data pribadi, dengan terms perlindungan data

Pernyataan Kebijakan

Divistant bergantung pada vendor dan partner untuk mendukung operasi bisnis dan memberikan value kepada klien. Kami percaya bahwa manajemen risiko vendor yang efektif adalah kritikal untuk memastikan continuity, security, dan compliance. Oleh karena itu, Divistant mengimplementasikan framework komprehensif untuk assessment, selection, monitoring, dan management vendor.

Setiap vendor harus melalui due diligence sebelum engagement, signed contract yang jelas dengan terms yang melindungi Divistant dan klien kami, dan dimonitor secara reguler untuk ensure compliance dan performance. Kegagalan vendor yang significant dapat mengakibatkan contract termination dan, jika ada damage, legal action untuk recovery.

THIRD-PARTY RISK MANAGEMENT — PT DIVISTANT TEKNOLOGI INDONESIA 5 KATEGORI RISIKO VENDOR 1. SECURITY & PRIVACY Data breach, akses ilegal 2. OPERATIONAL Downtime, kualitas, SLA 3. COMPLIANCE & REGULATORY GDPR, UU PDP, pajak 4. FINANCIAL & COMMERCIAL Hidden cost, lock-in, bangkrut 5. REPUTATIONAL Skandal, etika, brand PROSES DUE DILIGENCE — 3 FASE FASE 1: SCREENING 1. Identifikasi kebutuhan 2. Shortlist vendor (Day 3-7) 3. Initial screening criteria 4. Risk categorization Output: Critical/High/Med/Low FASE 2: ASSESSMENT Critical: ISO 27001, SOC 2, DPA High: Certification + finance Medium: Basic credit check Low: Company info only Output: Risk assessment report FASE 3: CONTRACTING 1. Draft contract + SLA 2. Negotiate terms 3. Sign-off (Legal + Proc) 4. Onboard + monitoring Output: Signed contract MONITORING & INCIDENT Uptime SLA: 99.5% (critical) | 99% (important) QBR: Quarterly Business Review wajib Severity: Critical 1hr High 2hr Med 8hr Low 24hr Escalation: Support > Engineering > Mgmt > Executive Termination path: Notice > Formal > Remediation > Terminate

Kategori Risiko Vendor

1. Security & Privacy Risks

Deskripsi: Vendor menangani data sensitif atau sistem kritikal yang jika compromised dapat expose Divistant atau klien kami pada security breach.

Contoh Vendor:

  • Cloud service providers (AWS, Azure, Google Cloud)
  • Email & communication vendors (Gmail for Business, Microsoft 365)
  • Password management & identity management systems
  • Cybersecurity vendors (antivirus, firewall, SIEM)
  • Data center & hosting providers

Risiko Spesifik:

  • Data breach karena weak security practices
  • Unauthorized access ke data pribadi klien atau karyawan
  • Ransomware attacks yang menyebabkan downtime
  • Insufficient encryption atau secure deletion
  • Inadequate access controls dan authentication
  • Insider threats dan employee misconduct

Mitigasi Requirements:

  • ISO 27001 certification (atau equivalent)
  • SOC 2 Type II audit report
  • Data Processing Agreement (DPA) dengan standard clauses
  • Encryption at rest dan in transit
  • Multi-factor authentication untuk administrative access
  • Regular security audits dan penetration testing
  • Incident response plan dan notification procedures
  • Compliance dengan relevant regulations (GDPR, UU PDP 27/2022)

2. Operational Risks

Deskripsi: Vendor service yang disrupted dapat menyebabkan business interruption, missed deadlines, atau service degradation kepada klien.

Contoh Vendor:

  • Internet service providers (ISP)
  • Cloud computing providers
  • Outsourced development atau support teams
  • Office supplies dan equipment providers
  • Logistics & courier services

Risiko Spesifik:

  • Service downtime karena technical issues atau poor infrastructure
  • Delayed delivery atau missed deadlines
  • Quality issues dalam deliverables
  • Inadequate disaster recovery dan business continuity planning
  • Staff turnover causing loss of critical knowledge
  • Vendor financial distress leading to service cessation

Mitigasi Requirements:

  • Service Level Agreements (SLA) dengan clear uptime targets (e.g., 99.5% untuk mission-critical)
  • Performance metrics dan monitoring dashboards
  • Regular status reporting dan escalation procedures
  • Business continuity & disaster recovery plan dengan tested RTO/RPO
  • Financial stability assessment (credit check, financial statements review)
  • Change management procedures dengan notification
  • Redundancy atau backup vendors untuk critical services

3. Compliance & Regulatory Risks

Deskripsi: Vendor non-compliance dengan regulations dapat menyebabkan Divistant dan klien kami terkena legal penalties, fines, atau reputational damage.

Contoh Vendor:

  • Data processors (cloud, email, CRM)
  • Financial service vendors (payment processors, accounting software)
  • HR software providers
  • International vendors (compliance dengan export control)
  • Vendor yang handle klien data sensitive

Risiko Spesifik:

  • Non-compliance dengan data protection regulations (GDPR, UU PDP, CCPA)
  • Violation of export control atau sanctions compliance
  • Non-compliance dengan industry-specific regulations (finance, healthcare)
  • Tax compliance issues atau incorrect invoicing
  • Employment law violations oleh vendor staff
  • Environmental atau labor law violations

Mitigasi Requirements:

  • Certification atau compliance attestations relevant to industry
  • Compliance questionnaires dengan specific regulatory requirements
  • Data Processing Agreement (DPA) dengan required terms
  • Audit rights dan access untuk compliance verification
  • Regular compliance audits oleh internal team atau third-party
  • Representations & warranties dalam contract mengenai compliance
  • Indemnification clause untuk compliance violations

4. Financial & Commercial Risks

Deskripsi: Vendor financial atau commercial issues dapat menyebabkan hidden costs, contract disputes, atau unfavorable terms.

Contoh Vendor:

  • Software licensing vendors
  • Hardware & equipment suppliers
  • Outsourced service providers (development, support)
  • Professional services vendors (consulting, audit)

Risiko Spesifik:

  • Hidden costs atau unexpected price increases
  • Vendor insolvency atau bankruptcy
  • Unfavorable contract terms atau lock-in situations
  • Dependency pada single vendor dengan limited alternatives
  • Intellectual property disputes atau IP ownership issues
  • Inadequate insurance atau liability limitations

Mitigasi Requirements:

  • Clear pricing dengan price escalation terms
  • Financial stability assessment (credit check, Dun & Bradstreet rating)
  • Contract dengan favorable IP terms, liability, dan indemnification
  • Price comparison dengan market rates
  • Avoid single-vendor dependency untuk critical functions
  • Insurance requirements dalam contract
  • Payment terms yang protect Divistant (e.g., milestone-based)

5. Reputational & Stakeholder Risks

Deskripsi: Vendor yang memiliki poor reputation, ethical issues, atau involvement dalam controversial activities dapat damage Divistant's reputation.

Contoh Vendor:

  • Vendors dengan history of data breach atau scandal
  • Vendors involved dalam controversial industries atau practices
  • Vendors dengan poor labor practices atau environmental record
  • Vendors dengan public complaints atau legal issues

Risiko Spesifik:

  • Association dengan vendor controversial dapat damage Divistant's brand
  • Public backlash jika klien mengetahui vendor kami memiliki issues
  • Media coverage tentang vendor scandals melibatkan Divistant
  • Klien concerns tentang ethical compatibility dengan vendor

Mitigasi Requirements:

  • Background check dan reputation assessment
  • Review media coverage dan customer reviews
  • Vendor compliance dengan sustainability atau ethics standards
  • Contractual terms requiring ethical conduct dan compliance
  • Public communication strategy jika issues arise

Proses Assessment & Due Diligence Vendor

Phase 1: Vendor Identification & Initial Screening

Langkah Aktivitas Owner Waktu
1. Identify Need Departemen menentukan requirements untuk vendor/service Requester Day 1
2. Search & Shortlist Procurement mencari potential vendors, create shortlist Procurement Day 3-7
3. Initial Screening Check basic criteria (location, size, experience, availability) Procurement Day 7
4. Risk Categorization Tentukan risk category (Critical/High/Medium/Low) berdasarkan nature of services Procurement + Legal Day 8

Phase 2: Due Diligence Assessment

Due diligence requirements bergantung pada risk category:

CRITICAL VENDORS (e.g., cloud provider, security vendor, data processor):

Assessment Item Requirement Method
Company Background Company registration, ownership, financial stability UPDATER registration check, Dun & Bradstreet, credit agency
Security Certifications ISO 27001, SOC 2 Type II Obtain certificates atau audit reports
Compliance GDPR/CCPA compliance, data processing capability DPA review, privacy policy audit
Financial Health Revenue, profitability, debt levels Financial statements review (2-3 years)
Insurance E&O insurance, cyber insurance Certificate of Insurance
Reputation & References Customer reviews, case studies, references Online research, reference checks (min 3)
Security Practices Encryption, access controls, incident response Security questionnaire, SOC 2 review
Subcontractors List of subcontractors dan risk assessment Subcontractor assessment
Legal/Regulatory Litigation history, regulatory issues Court records, regulatory agency checks

HIGH RISK VENDORS (e.g., outsourced support, financial vendor):

Assessment Item Requirement
Company Background Basic company info, financial stability check
Relevant Certifications Industry-specific (ISO 9001, ISO 20000, etc.)
Compliance Compliance with relevant regulations
Financial Health Basic revenue/profitability check
Insurance Relevant insurance coverage
References Min 2 reference checks
Service Documentation Service capabilities, process documentation

MEDIUM/LOW RISK VENDORS (e.g., office supplies, routine services):

Assessment Item Requirement
Company Background Basic company info
Financial Health Quick credit check atau payment history
Service Capabilities Confirm able to deliver requirements

Phase 3: Contracting & Approval

Langkah Aktivitas Owner Checklist
1. Draft Contract Legal menyiapkan contract terms Legal [ ] Standard terms included
[ ] Risk mitigations incorporated
[ ] Insurance requirements
[ ] Compliance requirements
2. Negotiation Procurement & Legal negotiate terms dengan vendor Procurement + Legal [ ] Terms acceptable to both parties
[ ] All risks addressed
[ ] SLA defined (if applicable)
3. Sign-off Legal, Procurement, Department Head review & approve Legal + Procurement + Requester [ ] All required approvals obtained
[ ] Contract executed properly
[ ] Both parties signed
4. Implementation Vendor onboarded, access provisioned, SLA monitoring started Procurement + IT + Department [ ] All setup complete
[ ] Monitoring dashboards active
[ ] Escalation procedures documented

Vendor Kontrak & Terms

Mandatory Contract Clauses untuk Semua Vendor:

1. Service Scope & SLA

  • Clear definition of services, deliverables, timeline
  • Performance metrics dan acceptable service levels
  • Escalation procedures untuk service issues
  • Remedies (credits, penalties) untuk SLA breaches

2. Security & Confidentiality

  • Confidentiality obligations untuk both parties
  • Security requirements commensurate dengan data/system sensitivity
  • Incident notification within 24-72 hours
  • Right to audit security controls

3. Compliance & Data Protection

  • Compliance dengan relevant laws dan regulations
  • Data Processing Agreement (DPA) jika vendor memproses data pribadi
  • Data subject rights (access, correction, deletion, portability)
  • Cooperation dalam regulatory investigations atau audits

4. Intellectual Property

  • Ownership of work product dan deliverables
  • Licenses granted untuk use of vendor IP
  • Protection dari third-party IP claims

5. Liability & Indemnification

  • Liability caps (usually 12 months of fees)
  • Exclusions of liability (indirect, consequential damages)
  • Indemnification untuk third-party claims
  • Insurance requirements

6. Termination

  • Termination for convenience dengan notice period
  • Termination for cause (breach, non-performance)
  • Obligations upon termination (data return, confidentiality continuation)
  • Wind-down procedures

7. Subcontractors

  • Prohibition atau approval requirement untuk subcontractors
  • Vendor remains responsible untuk subcontractor performance
  • Subcontractors must agree to same terms

8. Change Management

  • Process untuk requesting changes atau new services
  • Pricing untuk additional services
  • Change approval procedures

Specific Requirements untuk CRITICAL VENDORS:

Data Processing Agreement (DPA) - untuk vendor handling PII:

  • Standard terms per GDPR Article 28 atau UU PDP 27/2022
  • List of sub-processors
  • Security measures implemented
  • Data subject rights fulfillment
  • Audit rights
  • Data transfer limitations (if applicable)
  • Data deletion atau return procedures

Business Continuity & Disaster Recovery:

  • RTO (Recovery Time Objective): ≤ 4 hours untuk critical services
  • RPO (Recovery Point Objective): ≤ 1 hour untuk data
  • Regular testing (at least annually)
  • Documented and tested backup plans
  • Notification procedures untuk major incidents

Security Requirements:

  • ISO 27001 certification atau equivalent
  • SOC 2 Type II audit report
  • Encryption at rest dan in transit
  • Multi-factor authentication
  • Regular security assessments (penetration testing, vulnerability scanning)
  • Incident response plan
  • Security breach notification

Vendor Monitoring & Performance Management

Ongoing Monitoring Framework:

Metrik Target Frequency Owner Action if Missed
Uptime/Availability 99.5% (critical), 99% (important) Monthly Vendor Service credit, escalation
Response Time Per SLA definition Per incident Vendor Escalation, penalty
Security Audit Annual SOC 2/ISO 27001 Annually Vendor Re-assessment required
Compliance Review Maintain compliance status Quarterly Legal Remediation plan required
Quality Score >90% (if applicable) Quarterly Department Performance improvement plan
Financial Health No deterioration Annually Procurement Risk mitigation assessment
Communication Regular status updates Per contract Vendor Escalation

Quarterly Business Review (QBR):

Peserta: Vendor account manager, Divistant project lead, Procurement, Legal (if critical)

Agenda:

  1. Performance review (uptime, SLA compliance, quality metrics)
  2. Outstanding issues atau complaints
  3. Planned changes atau new features
  4. Security & compliance updates
  5. Feedback dan improvement opportunities
  6. Renewal planning (if contract expiring soon)

Documentation: QBR minutes recorded dan filed untuk audit trail

Incident & Issue Management:

Severity Levels:

Level Definition Initial Response Target Resolution
Critical Service completely unavailable, security breach, data loss Within 1 hour Within 4 hours
High Major functionality impaired, significant performance degradation Within 2 hours Within 24 hours
Medium Partial functionality affected, minor performance issue Within 8 hours Within 5 days
Low Minor issue, cosmetic problem, no impact to users Within 24 hours Within 30 days

Escalation Path:

  • Tier 1: Vendor support team
  • Tier 2: Vendor engineering team (if not resolved within 2 hours for Critical)
  • Tier 3: Vendor management (if not resolved within 4 hours for Critical)
  • Tier 4: Executive escalation (if SLA will be breached)

Vendor Risk Response & Remediation

Risk Response Actions:

If Performance Issues Detected:

  1. Verbal/Email Notification (within 2 days of detection)

    • Describe issue clearly
    • Provide evidence/data
    • Request explanation dan remediation plan
    • Set deadline for response (3-5 days)

  2. Formal Notice (if not resolved after initial notification)

    • Written notice of breach atau non-performance
    • Specific remediation required
    • Deadline for remediation (7-14 days)
    • Warning of contract termination if not resolved

  3. Remediation Plan Review

    • Vendor submits detailed remediation plan
    • Divistant reviews dan approves atau requests modifications
    • Regular monitoring of remediation progress
    • Milestone-based verification

  4. Contract Termination (if not remediated)

    • Termination notice per contract terms
    • Wind-down period dengan knowledge transfer
    • Data extraction atau migration
    • Final invoice settlement atau disputes

If Security/Compliance Issues Detected:

  • Immediate escalation kepada Legal & IT Security
  • Security incident response activation
  • Third-party audit atau forensic investigation (if needed)
  • Vendor notification & root cause analysis
  • Remediation with strict timeline
  • Potential contract termination untuk critical violations
  • Notification kepada affected clients (if necessary per contract)

Training & Awareness

Aktivitas Frekuensi Sasaran Metode Pemimpin
Vendor Management Basics Saat hire Procurement, Operations staff Online module Procurement
Due Diligence Process Training 1x per tahun Procurement, Legal, Department Heads Workshop Procurement + Legal
Vendor Risk Assessment 2x per tahun Procurement, Legal, IT Security Training session Legal + Procurement
Contract Review Standards 1x per tahun All staff involved dalam vendor management Guidelines review Legal
Incident Response Procedures 2x per tahun All departments Scenario-based training IT Security + Operations

Kebijakan Terkait

  • Procurement & Purchasing Policy
  • Information Security Policy
  • Data Protection & Privacy Policy
  • Compliance & Regulatory Framework Policy
  • Business Continuity & Disaster Recovery Policy
  • Incident Response & Management Policy
  • Subcontracting & Outsourcing Policy
  • Conflict of Interest Policy (applicable to vendor selection)

Kontak

Posisi Nama/Tim Email Phone
Kepala Operations/Procurement Operations Team operations@divistant.com +62-21-XXXX-XXXX
Kepala Legal & Compliance Legal & Compliance legal@divistant.com +62-21-XXXX-XXXX
IT Security Manager IT Security it.security@divistant.com +62-21-XXXX-XXXX
Vendor Manager Procurement procurement@divistant.com +62-21-XXXX-XXXX
Last updated 3 months ago
Was this helpful?
Thanks!