12 Ongoing Monitoring Best Practices for Third-Party Risk Management

The third-party risk oversight process doesn't end when the contract is signed. Your vendors’ performance must be monitored on an ongoing basis throughout the life of the relationship. But, how should you maintain ongoing monitoring and what are the best practices to follow?

In this blog, we'll explore why ongoing monitoring is necessary to monitor your vendor's performance and to identify new or emerging risks. We’ll also identify 12 best practices and resources for ongoing monitoring.

Why Is Ongoing Monitoring So Important?

Initial risk assessments and due diligence are completed during the onboarding stage and should be repeated on an annual basis. Still, it’s important to remember that a vendor's performance or risk profile can change rapidly, so it is necessary to monitor and manage your vendors continuously. Ongoing monitoring between annual assessments will provide vital data points to ensure that your vendor meets your expectations and has an acceptable risk profile.

Ongoing monitoring is a best practice because it helps identify risk and minimize surprises throughout the vendor risk management lifecycle. But it’s also a regulatory requirement for many organizations.

12 Ongoing Monitoring Best Practices

Here are 12 best practices to keep in mind for your third-party continuous monitoring efforts:

1. Ensure data breach notification protocols are applied in their procedures and are included in your contracts.
2. Monitor consumer complaints submitted internally or from online sources such as the CFPB complaint database.
3. Create Google Alerts. Each alert can be specific to your vendor and include keywords that would cause concern if triggered.
4. Incorporate commercially available vendor risk intelligence tools and services into your monitoring process. Risk Monitoring and alert services can provide unique insight into different vendor risk domains and supplement your organization's oversight efforts.
5.  Set reminders to monitor a vendor's quarterly financial filings if it's a publicly traded company. If it's a private company, request that your vendor sends you their financial report.
6. Your organization should insist that the vendor notify you as soon as there is a change in leadership, pending litigation, or any other issue that might affect the relationship.
7. Implement regular vendor performance reviews to address quarterly performance and address any service level concerns.
8. Provide a framework for feedback from the first line of defense. Meet regularly, track concerns, and address any legitimate issues raised.
9. Leverage social media outlets. Follow the vendor on LinkedIn, Twitter, and Facebook. Have updates sent to a separate email account, so your regular email doesn't get bogged down with information.
10. Subscribe to industry articles that may highlight the vendor type.
11. Check regularly for any litigation or enforcement actions.
12. Establish regular risk reassessment and due diligence intervals to refresh risk data and ensure detailed subject matter analysis and reporting.

As part of your organization's third-party continuous monitoring process, you should record any vendor risk or performance findings as well as the required remediation. Be sure to track open issues through to completion and make sure to look for vendor risk or performance trends that may indicate new or emerging risks. If there are serious issues or red flags, inform your senior management and board of directors, especially if those issues concern a critical vendor.

Ongoing monitoring is essential for identifying, assessing, and managing your vendor risk and staying ahead of serious problems.