A Walk Through the Interagency Guidance Third-Party Risk Management Lifecycle

Three federal agencies have traditionally set the standard for effective third-party risk management. These agencies are the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC). The agencies have most notably published the Interagency Guidance on Third-Party Relationships: Risk Management. The guidance includes a simple lifecycle graphic lifecycle, with an extensive description of each component to guide third-party engagements.

Even if your organization isn’t regulated by these agencies, it’s well worth your time and effort to familiarize yourself with this lifecycle to ensure you’re following best practices. It’s also helpful to understand Venminder’s linear lifecycle, which can help simplify the process of managing third-party relationships, while still maintaining compliance. 

The Interagency Guidance Third-Party Risk Management Lifecycle

1. Planning – An organization should understand how to manage third-party risks before beginning a third-party relationship, especially when it involves critical or high-risk activities. This involves assessing the benefits and risks of the third-party relationship. Things to consider include:
   
   
   • The third party’s use of subcontractors 
   • How the third party will affect the organization’s customers
   • How the organization will assess, select, and monitor its third parties to ensure they remain 
     compliant
   • The organization’s contingency plans if it needs to switch to another third party or bring the outsourced activity in-house
2. Due Diligence and Third-Party Selection – The agencies make it clear that an organization should not select a third party without first conducting a thorough round of due diligence, which involves obtaining relevant information from the third party. This process serves two purposes:
   
   
   • Helps determine whether a third party can help an organization achieve its strategic and financial goals
   • Helps determine whether the organization can appropriately manage the third party’s risks
   
   Each third-party relationship will offer different benefits and risks, so due diligence should be based on the risk of the outsourced activity. The guidance provides a list of recommended factors to consider when conducting due diligence, including the third party’s: 
   
   
   • Business strategies and goals
   • Financial health and risk management policies
   • Information security implications 
   • Operational resilience
   • Incident management processes 
   • Reliance on subcontractors
3. Contract Negotiation – The Interagency Guidance includes several important considerations in this section that go beyond typical contract components like cost and duration of contract term. Third parties may offer a standard contract template, but an organization should consider additional provisions or modifications that will satisfy its unique needs. Those provisions may include: 
   
   
   • Performance benchmarks
   • Insurance requirements
   • Subcontracting
   • Dispute resolution
   • Data retention specifications 
   
   A right to audit clause will ensure an organization can collect certain information on request, such as SOC reports or financial and operational reviews. The guidance also suggests that an organization should think about choice-of-law and jurisdictional contract provisions when using foreign-based third parties. 
4. Ongoing Monitoring – This stage will generally include reviewing the third party’s performance and the effectiveness of its controls, as well as meeting with the third party to discuss issues related to performance and operations. An organization should regularly test its own controls to ensure they can properly manage third-party risks. These ongoing monitoring activities should be designed to do the following:
   
   
   • Confirm that the third party’s controls are effective and sustainable
   • Escalate issues or concerns such as poor financial health, security breaches, inconsistent service, and noncompliance
   • Respond to issues once they’re identified
5. Termination – Organizations must consider how to effectively terminate a third-party relationship. Termination may occur because an organization wants to find an alternate third party or bring the activity in-house, or because the contract is expiring. Termination can also occur because the activity is being discontinued or the third party has breached the contract. Whatever the reason, an organization needs to consider details such as termination costs, how to manage third-party risks that occur with data retention and destruction, and whether this termination will impact its customers. 

In addition to the five phases of the lifecycle, the guidance recommends you keep the following three items in mind:

• Oversight and Accountability – An organization’s board of directors should have ultimate oversight of its third-party risk management activities. The board of directors should provide guidance on the organization’s risk appetite, while senior management should be responsible for developing third-party risk management policies, procedures, and practices.  
• Independent Reviews – Conduct periodic independent reviews of your third-party risk management program to assess its effectiveness. Reviews should consider whether third-party risks are effectively identified and monitored, and whether the organization has enough staffing and expertise to properly manage these risks. Independent reviews will help identify any gaps or any changes that need to be made.
• Documentation and Reporting – Have a good method in place for maintaining documentation and reporting. Some details to document may include a current third-party inventory, risk assessments, due diligence results, and risk and performance metrics. The agencies recommend periodic reporting to the board, especially if the organization is dependent on a single third party for multiple activities. 

A Simplified Interpretation of the Third-Party Risk Management Lifecycle 

The Interagency Guidance depicts the third-party risk management lifecycle as a rotating circle with clearly labeled activities. Although this version is accurate, it can also create some confusion for those that may not be entirely familiar with the intricacies of third-party risk management. This circular lifecycle doesn’t clearly depict a beginning and ending, nor does it describe which activities are repeated throughout the third-party relationship. For example, termination and planning are listed side-by-side in the circular lifecycle, indicating that they repeat, but these activities are only performed once throughout the vendor relationship.

A linear third-party risk management lifecycle describes the same essential activities, but in an easier-to-follow method. This representation shows the progression of steps, which gives users a simple reference point throughout the third-party relationship. 

Here are some of the benefits of following a linear lifecycle:

• Supports regulatory expectations – Although the linear lifecycle looks slightly different, you can rest assured that it follows the same guidelines set forth in the circular lifecycle. Each component is still represented, including the foundational elements of oversight and accountability, documentation and reporting, and independent reviews. 
• User-friendly lifecycle stages – Onboarding, ongoing, and offboarding activities are clearly outlined in the linear lifecycle, giving organizations an easier way to identify which step to follow next. At any given time, your organization might have multiple third parties in each stage of the lifecycle so it’s important that stakeholders can see this represented in a simple format.
• Improved understanding of ongoing activities – Ongoing monitoring generally includes the assessment of a third party’s risk and performance, but there are other factors to consider, which are listed in the linear lifecycle. Contract renewals and periodic due diligence should also be included in the ongoing stage of the lifecycle.

Following the Interagency Guidance lifecycle is an important practice to ensure that your organization is compliant with regulatory expectations. While following the circular lifecycle is helpful, it’s worth considering referencing a more linear lifecycle that will keep your organization compliant and better prepared to consistently manage third-party risk.