Framework for a Successful Third-Party Risk Management Program

It doesn’t matter if you’re a business leader or an architect, it’s crucial to understand that building anything requires the proper supporting structure, whether a software program or a physical building. Attempting to tackle the task without adequate planning or documentation can lead to expensive and time-consuming repairs or revisions. This is also true when developing a third-party risk management program framework.

A third-party risk management framework is the collection of rules, processes, roles, tools, and other components making up an organization’s third-party risk management program.

Step One: Identify Third-Party Risk Management Requirements

To start building your third-party risk management framework, it’s crucial first to understand the guidelines and boundaries that your organization must follow.

Here are some tips to help you develop your framework:

• Determine applicable regulatory requirements. Check whether your organization falls under the regulation of a government entity that has released any guidelines or expectations for third-party risk management. This can serve as a starting point to develop your third-party risk management framework. Even if you’re not part of a regulated industry, it’s important to remember that industry best practices for third-party risk management have evolved from regulatory guidelines, such as the Interagency Guidance on Third-Party Relationships. Familiarizing yourself with third-party risk management regulatory requirements can help ensure your program and framework aligns with best practices.

• Define the scope of the third-party risk management program. To optimize your time and resources, stipulate the scope and boundaries of your third-party risk management program. To do this, your organization must decide how it defines a third party (vendor, service provider, supplier). There are some types of third parties, such as customers, clients, and government entities, that should be excluded. Your organization will need to decide what and who falls in scope and document it.

• Inventory your vendors. Completing this process will require effort, but it should be relatively straightforward since you’ve already determined the program's scope. Work with your accounts payable department to compile a list of vendors and third-party providers within the scope, including any pertinent information such as contract numbers and vendor owners. Be sure to document this information carefully and ensure there’s a process to keep this data current.

Step Two: Design Your Third-Party Risk Management Framework

Once you’re clear about the requirements you need to meet and how many vendors there are to manage, it’s time to think about how the third-party risk management function will exist in your organization and who will be responsible and accountable for the work. This is where the third-party risk management framework comes in.

• Specify the model of your framework. When establishing a third-party risk management framework, a good starting point is to figure out the best way to structure the third-party risk management function within your organization. The right organizational model can ensure that resources are used wisely and that the right people are engaged.

There are several third-party risk management models to choose from:

• • Decentralized – In this model, there isn't a formal third-party risk management program or a dedicated team. Multiple stakeholders complete work. Risk assessments, due diligence, and contract management are parsed out among different departments.
  • Centralized – This model is built with a dedicated third-party risk management team or function completing the majority of work; this ensures much more oversight and accountability of all the tasks associated with third-party risk management. There’s more robust, streamlined communication between the third-party risk management team and other departments within the organization in this approach.
  • Hybrid – The hybrid approach is especially beneficial for larger organizations. Generally, it includes an organized third-party risk management office that sets the guidelines, delegates tasks to different areas, and monitors those tasks throughout the lifecycle. Individual vendor owners or managers are responsible for performing specific third-party risk management tasks and activities.
• Identify roles and responsibilities. Once you've determined the best model for your organization, it's time to build out roles and responsibilities. In most organizations, third-party risk management responsibilities are typically assigned to one of three lines of risk management:
  
  
  • First line – Within the first line, duties related to third-party risk management are typically assigned to a designated vendor owner or manager (within the business unit). They’re responsible for the day-to-day vendor relationship and for managing all the risks associated with it.
  • Second line – The second line is the group responsible for the third-party risk management program which includes the development of the rules, tools, and processes that make third-party risk management possible at the organization. They’re also responsible for the coordination and oversight of required tasks, documentation, reviews, and reporting related to each stage of the third-party risk management lifecycle. The second line is responsible for reviewing and challenging first-line risk assessments, tasks, or deliverables as needed. Other stakeholders like subject matter experts are also part of the second line.
  • Third line – Typically, internal audit fulfills the responsibilities of the third line. Internal audit provides an independent and objective assessment of the effectiveness of the third-party risk management program. These audits and reviews help ensure that the program is operating efficiently and effectively and that all risks are being appropriately identified, monitored, and addressed. They also ensure the third-party risk management program complies with relevant regulations and standards. Other roles that fall within the third line include regulatory examiners and certifying bodies.
    

Step Three: Lay the Foundation for Successful Third-Party Risk Management

After creating a third-party risk management framework, the next step is to lay a solid foundation to ensure your program will be effective. The elements of a strong foundation include documentation and reporting, oversight and accountability, and independent third-party review.

• Develop governance documents. This is an important first step. Governance documentation refers to a collection of formalized policies, standards, processes, and guidelines that are documented. This documentation serves as a reference for stakeholders at all levels, providing them with information on the rules, obligations, responsibilities, and procedures involved in third-party risk management at the organization. It ensures consistency in the execution of third-party risk management and helps maintain transparency and accountability.

Formal governance documents communicate responsibilities, rules, requirements, and expectations. These documents fall into three categories – policy, program, and procedures:

1. 1. Policy – Defines the rules and requirements of the program, oversight, and governance, and broadly describes roles and responsibilities for third-party risk management. If the organization is subject to regulations, the policy should specify applicable regulations. Policies should be reviewed and approved by the board of directors and senior management.
   2. Program – This document supplements your policy and includes specific details of your organization's third-party risk management structure, responsibilities, and tools. It details the processes used to meet the policy requirements. These documents aren’t mandatory but are considered a best practice. Your organization may wait until the third-party risk management framework is defined and the processes are stable before developing this document.
   3. Procedures – These are step-by-step instructional guides on how to perform the processes to meet the policy requirements. Good procedures are simple and easy to follow and are specific to a single process and stakeholder at a time. Procedures can be developed as processes become stable.

• Establish oversight and accountability. It's essential to have proper oversight and accountability for the third-party risk management program. This oversight should start with the board and flow through management to the entire organization. Each individual and team should be accountable for effectively executing third-party risk management. Formal oversight mechanisms, such as regular review by a risk committee, are necessary to ensure that the third-party risk management program is working correctly and that issues are managed effectively.

Step Four: Frame Out the Third-Party Risk Management Structure

Now that you have a foundation, it's time to frame the structure of your third-party risk management program. This step can be straightforward if you follow the third-party risk management lifecycle. The lifecycle is a comprehensive blueprint that outlines the necessary third-party risk management activities, their order, and required actions.

• Onboarding – The first stage includes the following activities, which are essential to begin a safe vendor relationship:
  • Planning & Risk Assessment – Determining both the inherent risk and criticality of a vendor is fundamental to successfully mitigating all potential outsourcing risks. Inherent risk is based on the hazards present in the product or service and relationship. Criticality pinpoints the business impact your vendor may have on your operations or customers should they fail.
  • Due Diligence – Collecting and reviewing documented evidence of a vendor's risk controls and practices is necessary to assess the sufficiency of the vendor's control environment and whether it can effectively mitigate identified risks. This information can help you decide whether to proceed with the contracting process.
  • Contracting – This process includes all the necessary activities of negotiating, drafting, approving, storing, and managing the contract. Service level agreements (SLAs) and other contract provisions will also be involved in this process.

• Ongoing – Throughout the lifecycle, you'll want to periodically request, collect, and re-assess vendor due diligence, inherent risk, and criticality.
  
  
  • Re-Assessments – A vendor's risk must be re-assessed regularly. Data breaches or a decline in performance should initiate more frequent re-assessments. The recurring basis for critical and high-risk vendors should be at least annually. Moderate and low-risk vendors can be re-assessed less frequently.
  • Monitoring & Performance – This involves tracking and monitoring SLAs and monitoring a vendor's risk profile.
  • Renewals – A vendor contract should be formally reviewed mid-term, giving you enough time to renegotiate. However, it's also important to perform ongoing contract management by identifying gaps or issues and assessing the vendor relationship for performance standards.
  • Due Diligence – Some due diligence documents, such as insurance certificates or testing results, can expire or become invalid. Remember to track any documents that expire and request new ones as needed.

• Offboarding – Whether your vendor relationship is closing at the end of a contract, or you need to part ways earlier than expected, you'll need to consider the following details:
  
  
  • Termination – Notify the vendor that the contract won't be renewed or you're terminating early.
  • Exit Plan Execution – An exit strategy eases the transition, ties up any loose ends, and minimizes disruption.
  • TPRM Closure – This involves administrative tasks such as updating your system, organizing the vendor documents, and paying any final invoices.

Step Five: Inspect Your Third-Party Risk Management Framework

Once your framework is established, it's important to review it on a regular basis to ensure that it’s working as intended. Even the best third-party risk management programs may need an occasional re-adjustment. Monitor your program by doing the following:

• Solicit feedback – Managing third-party risks can pose a challenge for some individuals. If any stakeholders express concerns or face difficulties during the process, it’s essential to acknowledge their feedback constructively. By actively listening and considering their input, you can utilize it to improve the program. Communicating this to your stakeholders will also demonstrate the value your organization places on their feedback and help build trust in the program.
• Self-audit your third-party risk management framework – Compare your program to regulatory requirements and best practices to determine if there are any gaps or issues. If you discover deficiencies, document them and create a time-bound plan to remediate the issues.
• Mature your framework through continuous improvement – Managing third-party risks is a crucial aspect of any business, and building an effective third-party risk management framework is key to mitigating risks. While it’s no easy task, the continuous evaluation of the framework can bring about significant improvements.

Here are two tips to improving your third-party risk management framework:

• Enable vendor managers to understand and execute their tasks with ease. In case of any challenges, it’s essential to take constructive steps such as providing additional training, adjusting workflows, or re-writing procedures to enhance their understanding and improve the overall third-party risk management process.  
• Consider third-party risk management software. If you manage your documents and records through a manual process, third-party risk management tools can help uncomplicate the process. Using a single document repository and automating workflows and reporting can streamline your process, ultimately leading to better risk management.

Developing a strong and scalable third-party risk management framework can bring significant benefits to your organization. It can help reduce the likelihood of third-party risks, minimize financial and reputation damage, and improve compliance with regulatory requirements. A well-designed third-party risk management program can also optimize resource allocation, streamline communication, and ensure accountability across different departments.