Venminder’s State of Third-Party Risk Management 2023 webinar on February 7 covered the results of our annual industry survey. During the session, we had a lot of great questions from the attendees come in, and felt it would be beneficial to collect and share the answers.
State of Third-Party Risk Management Questions and Answers
Below you'll find the questions asked during the session and our expert's responses:
Q1: Do you have metrics on vendors per vendor manager?
Answer: We don't offer specific metrics on this because several variables must be considered. These would include the risk level and criticality of the vendors under management, the complexity of the product or service, the vendor owners' vendor management experience and skills, and what other responsibilities the vendor owners have outside of third-party risk management. Another consideration will be if vendor risk management tasks are automated through a system or are manual and the third-party risk management model used by the organization.
Q2: What other significant costs are there for a third-party risk management program besides salary/benefits?
Answer: Cost may include third-party risk management software fees, external subject matter expertise, subscriptions to risk alert and management services, third-party risk management conferences or training, etc.
Q3: Is there a listing of top 10, for example, key risks to consider with vendors?
Answer: In no particular order, here is a list of key risks to consider with vendors:
- Business continuity
- Regulatory and compliance
- Environmental, social, and governance (ESG)
- Supply chain risk
Q4: When you say third-party risk management, does that include Procurement, Legal, Privacy, and Third-Party Security? Or is it a separate team that manages all these areas?
Answer: Your organization needs to determine how it will define third-party risk management. However, typical third-party risk management teams do not include all the other departments. Usually, it’s a separate team.
Q5: Is a third party allowed to provide their due diligence of their third party?
Answer: That depends on the type of non-disclosure agreement (NDA) your third party has with a fourth party. Some organizations enact a three-way NDA, which would allow your vendor to share their due diligence information with other organizations. However, this is not a typical scenario. I would expect that your third party should be able to prove they did perform due diligence and share the results of that process.
Q6: How many critical vendors should an enterprise ideally have (e.g., 10% of total vendors)?
Answer: Generally speaking, that number is around fifteen percent (15%). What you want to keep in mind is that your critical vendors are the ones that are absolutely mission critical to running your day-to-day operations, so if you’re finding that you have a larger percentage, then that it’s a good indicator you need to review your criteria and review the vendors that were deemed critical. Remember, these vendors take a lot of time and resources to manage. You should be updating your board on those critical vendors too as there’s a lot at stake with critical vendors. Ultimately, the most important thing is not the percentage, but that they have been correctly identified.
Q7: What kind of risk assessments should be performed on a vendor?
Answer: Vendor risk assessments should be reflective of the risks identified in the inherent risk assessment. For example, if you know the vendor would require access to personally identifiable information (PII) as part of their service, you would need to assess their cybersecurity practices.
Q8: What are some examples of metrics that you can implement to measure the health, stability, and effectiveness of your third-party risk management program?
Answer: Internal compliance, percentage of due diligence, and risk re-assessments completed on time. Percentage of vendor contracts that contain required terms and conditions, ratio of high-risk and critical vendors to third-party risk management team members, etc., as well.
Q9: Can you define centralized model?
Answer: A centralized model in risk management is where all the third-party risk management roles and responsibilities take place within the same department. For example, in a hybrid model, you have a third-party risk management team that owns the framework and sets up all the rules, processes, and requirements and then the individuals in the line of business are managing those vendor relationships. In a centralized model, you probably have a third-party risk management team setting up everything, but you may also have dedicated individuals responsible for managing that vendor risk. The last model mentioned, decentralized, is where there are bits and pieces all over the organization.
Q10: When you say third-party risk management program, is that vendor management or entire risk, taking into account enterprise risk management (ERM), compliance, information security, etc.?
Answer: Third-party risk management focuses solely on the risks posed to you and your organization through your third-party relationships. Third-party risk management is often a subset of ERM or compliance.
Q11: Are you able to provide examples of a primary tool (dedicated tool) that is uses for managing vendor risk?
Answer: There are many third-party risk management software solutions that are designed to help organizations manage their third-party risk management processes. Venminder is an example of such a tool.
Q12: What are the benefits of residual risk if we want to be more conservative?
Answer: Not sure I fully understand, but will try to answer this question. With residual risk, it’s only an indicator of how confident you are in your controls and if the risk remediation has been satisfactory. For example, if your inherent risk is high and you put in place controls and you consider all the risk management practices of the vendor and it still comes out as high risk, at that point you need to determine if you’re comfortable with that level of risk, or, if more or different remediation efforts are necessary. When it comes to being more conservative, your organization sets its own risk appetite and your residual risk. It shouldn’t shift your position there. It should just reinforce you’re making the right choices.
Q13: What are the top two questions to ask on your vendor questionnaire?
Answer: I am not sure there are a top two. The vendor questionnaire should ask various questions about the vendor's risk management practices and controls. Often, these questionnaires are divided into sections such as regulatory, cybersecurity, business continuity, financial, and more. The vendor should respond to all questions pertaining the inherent risks of the product or service.
Q14: What are some of the success measures or metrics to measure the maturity of your third-party risk management program in the first line of defense?
Answer: Internal compliance, percentage of due diligence, and risk re-assessments completed on time. Percentage of vendor contracts that contain required terms and conditions, etc.
Q15: At the bank, you’ll find that business units consume the services of third parties without a contract as this is owned by the group. Would it be beneficial to include these third parties on the business unit inventory?
Answer: Yes, absolutely.
Q16: How should we effectively manage reseller vs vendors? Can you share best practices around how to collect due diligence on the vendor providing the service in these cases?
Answer: Using your inherent risk assessment, you should be able to identify the specific risks associated to the product or service and scope your due diligence accordingly. It does not matter what the product or service is, your standardized inherent risk assessment should be applied.
Q17: Where in the lifecycle would you want to measure for environmental, social, and governance (ESG) and diversity, equity, and inclusion (DEI)?
Answer: You would want to identify their ESG and DEI practices during initial due diligence and monitor them as a regular part of your ongoing monitoring.
Q18: What is the most common third-party finding from an auditor?
Answer: It is difficult to say, but a very common finding is that the actual third-party risk management activities do not match the requirements in the policy.
Q19: Is there a good site that we can go to for determining if a vendor is a minority, woman, and disabled veteran owned business enterprise (MWDVBE)?
Answer: You can google MWDBE directory and there are multiple city, state, and national directories. The best way to determine if a vendor holds that certification is to ask them for their certificate and the issuing agency.
Q20: Are there specific certifications that are essential for third-party risk management?
Answer: Various organizations issue certifications; however, they each have different prerequisites, fees, and time commitments. It’s recommended you do an internet search to find the certification that best aligns with your needs.
Q21: For supply chain disruption, how do you adequately capture and remediate concentration risk when dual vendors are not economically feasible?
Answer: I wish I had an easy answer here. The truth is that your organization may need to accept the risk if other alternatives are not possible.
Q22: Regarding ESG, there are 25 States Attorneys Generals suing to block the ESG requirements. How much and how are folks treating ESG? Any suggestions?
Answer: The final ESG rule, Prudence and Loyalty in Selecting Plan Investments and Exercising Shareholder Rights, was finalized in November by the Department of Labor (DOL), permitting retirement plan fiduciaries, such as 401(k) plan sponsors, to consider climate change and other ESG factors when they select investment options and exercise shareholder rights, such as proxy voting for plan-held securities. This is specific to retirement plans only and should not impede any ESG objectives your organization has. Remember, investors, employees, and the general public are the primary drivers of ESG transparency and reporting.
Q23: What regulators require third-party risk management? I am aware that third-party risk management is best practice, but not sure as a regulatory requirement.
Answer: The financial services, healthcare, insurance, and fintech industries all have specific regulatory requirements they must comply with. A quick internet search will help you determine if there are specific regulatory requirements for your industry and what they are.
Q24: How do you suggest we stay on top of industry news?
Answer: The most basic way is to set up internet news alerts for the vendor company name and industry. Admittedly, this can be cumbersome and time-consuming. That is why we suggest investing in vendor risk monitoring and alert services that can be narrowed down to the most relevant information and data.
Q25: In my organization, third-party risk management provides information but does not "approve" vendors. What is the best practice?
Answer: The best practice is to standardize the requirements and processes so that third-party risk management can confirm the requirements have been met before the business formally enters the relationship. Ultimately, third-party risk management should confirm the requirements and the business should decide whether to move forward or not.
Q26: Do you have any program benchmarking information? Our program is going through internal benchmarking and I’m wondering if you have recommendations on what to measure against.
Answer: It would depend on what the objectives of the benchmarking are. There are many studies around third-party risk management best practices. Our annual State of Third-Party Risk Management survey is one, but there is no specific standard benchmark. My suggestion is that your benchmarks reflect any third-party risk management regulatory requirements for your industry and how well your organization meets those requirements.
Q27: Is there an industry standard definition of what makes someone a vendor?
Answer: By definition, a vendor is any organization or individual that provides your organization (or its customers on your behalf) products or services.
Q28: Ideally, what division or department should third-party risk management report to?
Answer: I think the key word here is ideally. We need to remember that all organizations are structured differently, but in a perfect world, third-party risk management should report up to your general risk division, whether that’s enterprise risk or layered under compliance, and the reason for that is enterprise risk is looking at what’s going on across the organization and external influencers as well. That’s what third-party risk management is doing, just in a different way. One of the reasons I advocate for third-party risk management to report in to risk divisions is because it’s a risk discipline and it needs to have a seat at the table for risk committees, etc. However, there are plenty of organizations that have a third-party risk management team that reports to Finance or Information Security. It’s most important that there is a clear third-party risk management structure and that they’re getting the right amount of support, no matter where they sit in the organization.
Q29: Should we be conducting full risk assessments on fourth parties (e.g., make them fill out a risk survey, gather their documents, etc.)?
Answer: With fourth parties, you need to remember that you do not have a direct relationship with them. Meaning, you do not contract with the fourth party, so it’s not very likely that they will turn over information to you. Second, it’s not your role to be assessing your fourth parties. That is the responsibility of your third party. When considering all fourth parties, one thing we really need to understand is how our vendors manage their third-party risk. Look at their controls and practices, and for those fourth parties, especially ones that provide services that are critical to your vendors ability to provide services to you, you want your third parties to show risk assessment and due diligence results plus monitoring for those vendors. There are rare cases where you can work with your vendor to conduct additional due diligence, but remember, it’s always the responsibility of your third party to manage their vendors. It’s your responsibility to make sure they are doing that in a way that is acceptable to your organization. To answer the question, no you shouldn’t be asking for them or sending directly to your fourth party.
Q30: It is the business practice at my company to formally review and re-issue policies every two years. Will we get in trouble if we put the vendor risk policy on that schedule, or do we have to do it every year?
Answer: In regulatory requirements, they do recommend and request that you’re reviewing and updating on an annual basis; however, if your entire organization has a different structure, it may not make sense for you to open the apple cart just for one policy. I would recommend discussing with your senior management team. Mention the requirement and ask them if you should be doing this off cycle. Also, reiterate other regulatory requirements (e.g., once a year, the board should be getting an update on third-party risk management). Regarding your defined structure, I think you can articulate that to an auditor or examiner. But still, what’s more important is that if there are significant changes in your organization or material regulatory changes or updates that you do an off cycle review of that policy, and if at all possible, try to get to that annual review cycle.
Q31: Should third-party risk managers be the ones to identify what controls vendors need?
Answer: No, they don’t need to be the ones to identify the controls. The controls should be identified by the subject matter expert as part of the vendor risk assessments. The vendor owners need to make sure their vendors are participating by returning due diligence questionnaires and providing the most updated due diligence documentation.
Q32: We don’t have any program metrics right now but want to develop them. What is the best way to do that?
Answer: First, it’s important to understand the objectives your organization has for third-party risk management. You also want to look at metrics that support regulatory compliance. Consider the following questions, too: Are you doing due diligence and risk reviews? Are you managing vendor performance, etc.? Overall, there’s a lot to consider. However, I’d recommend you identify 3-5 of your organization’s objectives and cascade down from that. Look at the steps in the third-party risk management lifecycle that you can measure. You can look at things like internal compliance, the ratio of vendors to the third-party risk management team, and more. There are all kinds of ways to do it, but you do need to take a top-down approach.
3 Reasons to Outsource Your Third-Party Risk Management
When you need assistance with third party risk management, it's a good idea to outsource to a...
NCUA Guidance on Third-Party Digital Asset Providers
As more financial institutions are beginning to embrace cryptocurrency, regulators are carefully...
What to Do When the Vendor Contract Has Been Signed Unexpectedly
Have you been in this situation? Someone at your organization signed a vendor contract, but they...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.