6 Key Elements of Third-Party Risk Management

When you prepare a recipe from scratch, it’s important to consider key elements that will help you get the desired results. This typically includes the ingredients, kitchen tools, and maybe even special equipment. In the same way, an organization must understand the key elements of third-party risk management to ensure that its program is effective. Without the following elements, your third-party risk management program is unlikely to meet regulatory expectations and protect your organization and customers. 

Key Elements of Third-Party Risk Management 

It’s not uncommon for some organizations to manage third-party risk with an incomplete set of processes. This may appear to work for some in the short term, but sooner or later this strategy can produce ineffective results.   

Below are the key elements of third-party risk management to consider for your program: 

1. Governance documents – A policy, program document, and set of procedures will be the foundational elements of your third-party risk management activities. These are used to formalize your rules and requirements and roles and responsibilities, while also demonstrating compliance to auditors and examiners and providing valuable information to stakeholders.
   
   Here's an overview of each document:
   
   
   • The policy should be a high-level document that describes the structure of your third-party risk management framework, outlines all requirements, and clearly spells out roles and responsibilities.  
   • The program document is more instructional, giving senior management and vendor owners or business lines information about processes that are needed to fulfill the policy requirements.  
   • The procedures are step-by-step instructions for performing a specific third-party risk management process.  
2. Senior management and board involvement – Regulators expect that senior management and the board will be involved in setting the “tone-from-the-top” for your third-party risk management program. Although their involvement isn’t expected for most day-to-day activities, they should be involved in making decisions about critical and high-risk vendors. Senior management and the board should also be reviewing third-party risk management reporting to stay informed about the effectiveness of your program.  
3. Risk-based due diligence – This element is not only a best practice that creates efficiencies throughout your program, but also a regulatory expectation. Taking a risk-based approach to due diligence refers to a basic two-step process.  
   
   First, you identify a third-party vendor’s inherent risk and criticality. Second, you use this information to guide your due diligence efforts, meaning that you only collect and review documents that are relevant to the third-party vendor’s risk and criticality. Remember that critical and high-risk engagements will require the most robust due diligence.  
4. Contract management – Your third-party vendor contract is an important tool that protects your organization from third-party risk. Contract management involves many components, such as internal planning, negotiating service level agreements (SLAs) and other provisions, and eventually drafting, approving, and executing the agreement. However, contract management doesn’t end there. It’s also important to consider how your contract will be stored and managed throughout the term and when you’ll need to conduct a formal mid-term review prior to the renewal period. 
5. Ongoing monitoring – Third-party risk management shouldn’t end after you sign the contract – there should always be an ongoing practice of identifying and mitigating risks that can harm your organization. Ongoing monitoring of a third party’s risk and performance must continue throughout the entire third-party vendor relationship. Because risks can emerge or change quickly, this is a crucial element of third-party risk management.  
6. Offboarding – Third-party risk is still present even as the relationship comes to an end, whether this ending is expected/proactive or unexpected/reactive. Offboarding helps avoid unexpected consequences such as fees, negative impacts on your customers or operations, and gaps in product/service delivery.
   
   These are the key steps to end the relationship safely and effectively:
   
   
   • Termination includes the formal notification to the third party (review your rights, causes, and timing requirements in your contract), recovering assets, destruction of data, and continued monitoring to ensure that any contractual obligations are still being met. 
   • Exit plan execution is intended to minimize the impact of the transition on your organization. Whichever exit strategy is chosen, it requires plans that are thoughtful and ideally tested in advance of actual offboarding. 
   • TPRM closure usually concludes the offboarding process. It consists of administrative tasks such as paying final invoices and updating the third-party vendor’s status in your system. 

Tips to Implement Key Third-Party Risk Management Elements Successfully 

Now that we’ve identified the key elements for third-party risk management, how can you implement them into your program? Here are a few tips to consider:  

• Identify roles and responsibilities – If you haven’t yet done so, make sure that your third-party risk management roles and responsibilities are clearly identified. This can help eliminate confusion over who should be involved in each activity and to what extent. For example, consider who should be involved in determining a third-party vendor’s inherent risk and who will be involved in reviewing due diligence.   
• Review your current processes – Before you implement any key elements that are missing, it’s a good idea to assess your current third-party risk management processes to identify other areas of improvement. Maybe your program already includes ongoing monitoring or risk-based due diligence, but these processes are too time-consuming or ineffective. Reviewing these processes after you’ve identified all of the key elements can help give you a fresh perspective on ways to improve.  
• Don’t settle for “good enough” – Continuous improvement is an undervalued strategy in many third-party risk management programs, but it’s important to not settle for the bare minimum. Just because you have all the key elements in place, remember that third-party risks are always changing, and regulatory expectations can shift to new focus areas. Case in point, artificial intelligence is likely to create new third-party risks that need to be properly managed. As a result, some of these key elements would need to be revised to address these new risks. 

The key elements of third-party risk management are intended to be consistent and applicable across most industries and organizations. However, the specific details of each element should be uniquely defined, depending on your organization’s needs. By implementing these key elements and your industry’s best practices, your third-party risk management program should be set up for success.