Third party harassment risk assessments are different.
When risk sits within your own workforce, you have direct control. You set standards. You train. You manage performance. You investigate. You apply consequences.
When risk sits with customers, clients, patients, audiences or suppliers, control looks very different.
So the real question becomes: how do you control the uncontrollables?
That is the tension at the centre of third party risk.
You cannot control how a patient behaves at 2am in A and E.
You cannot control how a customer behaves in a shop.
You cannot control every driver employed by a car firm your organisation uses.
But you can influence. You can design. You can anticipate. And you can evidence your reasoning.
That is what a credible third party harassment risk assessment must show.
Third Party Risk Requires Different Thinking
With internal risk, the assessment is often about behaviour standards and enforcement.
With third parties, it is about exposure and influence.
You are assessing:
- Where are our people exposed to external behaviour?
- When does risk increase?
- What influence do we realistically have?
- What steps are available to us, even if we cannot control the individual?
This is why third party risk assessments require more reasoning.
Not because the solutions are always complex. Often they are not. But because you need to show you have thought carefully about limits of control and still acted proportionately.
A generic line in a risk register stating “harassment risk low” will not demonstrate that.
How Do You Control the Uncontrollables?
You start by separating control from influence.
You may not control the third party. But you often control:
- The environment
- The supplier relationship
- The contract
- The response protocol
- The support given to your people
- The consequences within your gift
That distinction is critical.
If challenged, the question will not simply be “did something happen?”
It will be “how did you assess the risk and what did you do about it?”
Your reasoning becomes the centrepiece.
What This Looks Like in Practice
Work Transport and Supplier Relationships
If your organisation uses a car service, you cannot directly control the drivers.
But you probably have a relationship with a specific firm. You may have procurement standards. You may have preferred supplier arrangements.
So your risk assessment should ask:
- Do we require behavioural standards within supplier contracts?
- Do we expect driver training as a condition of business?
- Is there a clear route to report concerns?
- Can a driver be removed from our account?
- Are colleagues travelling alone late at night?
You cannot put a badge on someone saying “do not harass me”. But you can set conditions for who provides the service and how complaints are handled.
That is how you influence the uncontrollable.
A and E Departments and High Stress Environments
In an A and E department, patients cannot be controlled.
But exposure can be anticipated.
Risk may increase during:
- Late night weekend shifts
- Periods of long waiting times
- Situations involving intoxication
- Understaffed periods
So proportionate steps might include:
- Clear signage about unacceptable behaviour
- Team members knowing exactly what to do if something happens
- Ensuring no one is left alone with an intoxicated patient where avoidable
- Immediate escalation pathways
- Visible leadership support
The controls are often practical rather than complicated.
What matters is that your assessment shows you identified predictable pressure points and responded deliberately.
Retail and Public Facing Roles
In a shop, customers are not within your employment structure.
But risk is still foreseeable.
Your assessment might consider:
- Times of day when risk increases
- Whether certain colleagues are consistently exposed alone
- Whether security presence is required
- Whether clear behavioural signage is displayed
- Whether banning procedures are understood and applied
Again, you cannot control every customer. But you can shape the environment and the response.
The difference between exposure and protection often sits in those small, deliberate decisions.
Why the Reasoning Matters More
With internal risk, the existence of training and policy can sometimes demonstrate reasonable steps.
With third party risk, the reasoning behind your choices becomes more important.
You need to be able to explain:
Where was the exposure?
What influence did we have?
What steps were realistically available?
Why did we choose these controls?
How do we review this as circumstances change?
Under the framework of the Equality Act 2010, tribunals already examine whether employers took reasonable preventative steps. The strengthened duty makes third party exposure more explicit.
The expectation is not perfection.
It is thoughtful, proportionate action based on the reality of your environment.
What Will Not Stand Up
Third party risk assessment will fall short where:
- It relies on values statements instead of analysis
- It assumes low reporting equals low risk
- It treats third party behaviour as outside organisational responsibility
- It identifies risk but fails to implement mitigation
- It is completed once and never revisited
A document without reasoning will not carry weight.
A document that shows you have asked “how do we control the uncontrollables?” and answered it practically, will.
Third party harassment risk is not about controlling behaviour you cannot control.
It is about recognising exposure, understanding influence and designing proportionate safeguards.
When challenged, your organisation will need to show not just that something was written down, but that leadership thought carefully about foreseeable risk and acted accordingly.
If you would like support reviewing or strengthening your third party harassment risk assessment, we can help you build a framework that is practical, defensible and grounded in the reality of your workplace.
Visit Tell Jane to learn more about our services.
