Third-party risk management is the process and practice of identifying, assessing, managing, and monitoring the risks posed to your organization and customers through external business relationships. Although the concept of third-party risk management, sometimes referred to as TPRM, may seem straightforward, its execution involves a complex set of interconnected processes and multiple stakeholders.
To gain a deeper understanding of what third-party risk management really entails, it’s important to learn more about its key components, roles and responsibilities, and the governance and oversight necessary to protect your organization and customers from third-party risks.
Table of Contents
Third-Party Risk Management Basics
The Purpose of Third-Party Risk Management
Third-Party Risk Management Roles and Responsibilities
Third-Party Risk Management Processes and Documentation
Implementing and Maintaining Effective Third-Party Risk Management
Third-Party Risk Management Basics
There are two common questions people often have about third-party risk management. Let’s review these concepts before we cover TPRM roles and processes.
What is a third party?
Third parties are the external businesses that provide products and service to your organization or customers. These relationships also include consultants, financial partners, landlords, staffing firms, etc. Third parties are also known as vendors, suppliers, and service providers.
Third-party risk management extends beyond just your third-party vendors with whom you have a direct contract. There are also fourth and nth parties to consider in your TPRM program. Fourth parties are the subcontractors of your third parties or your "vendor’s vendors.” They provide products and services to your third parties directly and indirectly to your organization and customers. Fourth parties don’t have contracts with your organization.
What are third-party risks?
Third parties can expose your organization to many different risk types, including:
- Compliance – Your organization can be held accountable if your third-party vendor fails to comply with certain laws and regulations.
- Cybersecurity – A third party’s ineffective security controls can increase the potential for cyberattacks, putting your data at risk for a breach.
- Operational – Occurs when internal processes, people, controls, or systems of the third party are ineffective. External events like natural disasters or cyberattacks can also impact your third-party vendor and create operational risk.
- Reputational – The third party’s actions, lawsuits, data breaches, and more can harm your organization’s reputation.
- Strategic – Your organization can face strategic risk when the third party’s decisions and actions don’t align with your strategic objectives.
Some third-party vendors can expose your organization to more than one risk. For example, a third party that interacts directly with your customers would expose you to both compliance and reputational risk. If your third party is underperforming or violating consumer regulations, your organization’s reputation can be damaged.
The Purpose of Third-Party Risk Management
- Regulatory expectations: Regulatory expectations are a key driver of many third-party risk management programs. It’s essential to follow all applicable regulatory requirements, laws, and rules because they’re in place to ensure that organizations and customers are protected from unnecessary risks.
The Interagency Guidance on Third-Party Relationships is one of the better-known regulations on third-party risk management, but third parties are also referenced in HIPAA and different National Credit Union Administration (NCUA) guidelines. Failing to adhere to your industry’s guidelines can result in severe consequences, depending on the violation. A mild violation may simply result in an official notice with a deadline to correct the issue. In other cases, the penalties may be far harsher, such as heavy fines or suspension of business activities. Even if your organization isn’t in a regulated industry, it’s recommended to read and understand key regulations, as these often shape TPRM best practices. - Risk mitigation: Aside from regulatory requirements, perhaps the most obvious purpose of third-party risk management is to protect your organization and customers from third-party risk. These risks can create many negative consequences, such as data breaches, operational disruptions, reputational damage, and financial loss.
- Cost and quality control: TPRM processes can be used to ensure a third party’s performance is as expected and delivers the anticipated value to your organization. Effective TPRM processes, such as inherent risk assessments, due diligence, appropriate contract requirements, and monitoring a third party’s risk profile and performance, can help reduce the likelihood of costly rework and regulatory fines.
- Incident management: Maintaining or resuming operations after a business interrupting event is essential. Effective third-party business continuity and disaster recovery (BC/DR) planning is key to keeping your doors open, your business running, and your reputation intact. By having clearly detailed third-party BC/DR plans in place, your organization can lessen potential negative impacts and resume operations sooner. You must be particularly attentive to the BC/DR plans of critical third-party vendors, which your organization depends on to maintain operations, meet regulatory requirements, or provide essential products and services.
Third-Party Risk Management Roles and Responsibilities
Third-party risk management involves several roles and responsibilities, which can vary depending on the size and structure of your organization. Some of these third-party risk management roles may not be designated to a single person or team and may instead overlap with other positions or can even be found outside of your organization.
Primary roles and responsibilities within third-party risk management include:
- Third-party or vendor risk management team: The person or team assigned with the responsibility of maintaining the third-party risk management framework within the organization. The TPRM team is in charge of overseeing all the processes, requirements, rules, and tools necessary to manage third-party risk effectively. They have the responsibility of ensuring the TPRM policy, systems, workflows, documentation, and processes are executed correctly. Additionally, they’re responsible for issue management and reporting their findings to senior management and the board.
- Subject matter experts (SMEs): To effectively manage risks associated with third-party vendors, your organization needs to engage SMEs for formal third-party risk reviews and controls assessments. Through their assessments, SMEs can determine if the controls are sufficient to manage identified risks. For these reviews to be reliable, SMEs must possess professional certifications and credentials specific to their risk domain, so they’re capable of providing qualified opinions on the third party's risk management practices and controls.
- Business units or lines of business: The business units identify and engage potential third parties and manage them in accordance with third-party risk management program requirements.
- Third-party or vendor owner/manager: The third-party or vendor owners are the individuals responsible for managing the third-party relationship, and they usually sit within the business unit or the line of business. As these individuals essentially own the risk associated with third-party relationships, they’re responsible for completing all required TPRM activities on time and at the expected level of quality.
Some of the activities include completing inherent risk assessments, creating exit strategies and plans for critical and high-risk vendors, managing vendor performance, and monitoring vendor risk. They’re also responsible for ensuring vendor issues are remediated effectively and on time. - Board of directors: The board of directors is responsible for setting the "tone-from-the-top" and ensuring senior management and the organization effectively execute the third-party risk management program. They also approve the TPRM policy and regularly review the program's effectiveness.
- Senior management/leadership: Your organization’s senior management ensures third-party risk management is a top priority. They hold stakeholders accountable for fulfilling their roles and responsibilities, address concerns, review and approve the policy, and assess whether the risks in the vendor portfolio are acceptable. They are also responsible for making sure there are sufficient resources, including budgets, tools, technology, and qualified staff to effectively manage third-party risks.
- Internal auditors: Internal auditors thoroughly review the third-party risk management program to ensure compliance with relevant regulatory requirements, industry best practices, and the organization’s TPRM policy.
The audit team examines the program in detail, identifying inconsistencies or gaps that may pose a risk to the organization's operations, assets, or reputation. Once identified, these issues are reported to senior management and the board for appropriate action. The internal auditors work closely with management to ensure any necessary corrective measures are implemented in a timely and effective manner. - External auditors and regulatory examiners: External auditors and regulatory examiners have the role of ensuring compliance with laws and regulations. They review policies, records, and governance documents to assess if the organization is following set guidelines. If there are any violations, they recommend corrective action. If they discover problems, regulators have the power to issue enforcement actions such as written warnings, penalties, fines, and even cease and desist orders.
Third-Party Risk Management Processes and Documentation
To ensure compliance with regulations and best practices, it’s crucial to adhere to the third-party risk management lifecycle. This framework serves as a roadmap to ensure all necessary risk identification, assessment, mitigation, and management activities are carried out in the correct sequence and at the appropriate time.
The lifecycle contains three distinct stages of any given third-party relationship: onboarding, ongoing, and offboarding. It’s supported by a foundation of governance which includes oversight and accountability, reporting and documentation, and independent review.
Key Third-Party Risk Management Practices:
- Inherent risk assessment: Risk is naturally present with every product or service provided by a third party. An inherent risk assessment is the internal process of identifying, assessing, and quantifying the types and amounts of risk in every third-party relationship before any controls or precautions are applied. These internal assessments should always result in a risk score or rating, usually on a scale of low, moderate, or high. The third party’s rating and criticality informs your scope of due diligence, contract requirements, as well as risk and performance monitoring intensity and frequency.
- Determining criticality: Criticality reflects the business impact on your organization should the third party fail or go out of business. Products and services necessary to sustain your core operations, interface with your customers, or support your organization’s ability to comply with regulatory requirements are all examples of critical third-party relationships. Every third party should be rated as either critical or non-critical. Reporting on critical third-party vendors should be provided to the board of directors regularly.
- Due diligence: This process helps determine if the necessary controls are put in place to manage the third party’s identified risks effectively. In other words, due diligence is like doing your homework to ensure you’re confident in your knowledge of the risks and that the third party has done the work to mitigate them. Due diligence typically involves collecting data and documented evidence of controls from the third party. The third party’s information is reviewed, and their controls are assessed by a credentialed SME. The SME will then provide a qualified opinion regarding the sufficiency of the controls.
Once due diligence is completed, you can determine if the residual risk (the risk remaining after the application of controls) is acceptable and within the risk appetite. If it is, then you can begin executing a contract. If not, more controls or different controls must be applied, reviewed, and verified. If the residual risk is too high, your organization may decide to decline the third-party engagement. Due diligence should always be completed before contract execution to ensure known risks are mitigated before entering into the relationship. - Contracting: Contracts are an essential risk management tool. Not only do they spell out the roles, responsibilities, and expectations for both parties, but they also can be used to enforce specific risk management practices such as business continuity planning, information security, privacy, and legal and regulatory compliance. Once executed, contracts must be managed appropriately, including a mid-term contract review that can help the organization decide if they want to renew or exit the contract or determine if re-negotiation is necessary.
- Ongoing monitoring: It’s important to remember that information gathered during due diligence only represents a point in time. Risk changes over time, and risks can emerge or evolve due to external changes such as regulatory updates, changes within the industry, consumer preferences, or due to a third party’s declining financial health. It’s essential to monitor your third party’s risk profile constantly and consistently. Third-party performance is another key area to monitor. Your organization needs to be sure that the third party meets all contractual obligations and is delivering the anticipated value.
- Periodic risk re-assessment: Controls that were sufficient once may become inadequate over time. The risks of a specific product or service can also change. A periodic risk re-assessment involves reviewing and validating the inherent risk assessment. Additionally, you’ll need to ask third parties to review and update risk questionnaires and provide refreshed due diligence documentation to validate that controls are still in place and sufficient to mitigate known risks.
Note: Keep in mind that some due diligence documents have an expiration date that will not match your periodic risk review dates. It’s essential to track expiration dates and request new documents before the old ones expire. The periodic risk review will require an additional SME review if there are new risks or changing controls. - Offboarding: Your third-party relationship may need to end, whether it’s the natural conclusion of the contract or due to poor performance. The offboarding process must lead to a safe and sound exit. This starts with having an exit strategy where your organization determines what to do if the contract needs to end. Some options include bringing the activity in house, transitioning the work to another third party, eliminating the activity, or some combination of those options.
Once you’ve established your strategy, you need a documented plan to define responsibilities for the third party and your organization, an outlined timeline for completion, stakeholder communications, and a list of tasks and activities that need to be completed. Your exit plan should also contain contingency plans in case the third party cannot or will not fulfil their obligations.
Third-Party Risk Management Documentation
Third-party risk management programs require a variety of documents to clarify rules and expectations, outline specific processes, and illustrate procedures and evidence controls. The following are key pieces of TPRM documentation every program should have:
- Policy: Your third-party risk management policy serves as the foundation of your program. It should outline the scope of the program and reference external regulatory expectations, laws, and rules that govern the program. An effective policy includes expectations and requirements for stakeholders, roles and responsibilities, oversight, and governance structures, and how exceptions (if permissible) are made.
Note: Policies aren’t meant to be detailed procedures, but instead provide an overview of the program’s scope, requirements, and governance. It should be reviewed and approved by the board and senior management at least annually. - Program document: Program documents should define the processes used to support the requirements in the TPRM policy. While not a requirement, program documents can be extremely useful for providing more detailed information on third-party risk management processes, roles and responsibilities, process timing, and ownership. Program documents can serve as a playbook for your stakeholders, informing them of how activities flow and work together, illustrating key approvals, and describing how issues are managed and who to contact if there are problems.
- Procedures: These are meant to provide specific information on how to perform the processes described in the program document. Effective procedures address one process at a time and are specific to the stakeholder or team utilizing the procedure. Simple how-to instructions should be utilized to ensure anyone performing the process can generate the desired outcome consistently. Procedures should be reviewed and tested before they are published and be updated any time process steps or approval requirements change.
- Third-party due diligence documentation: It’s important to retain any documentation used in the process of making decisions about your vendors. This includes third-party or vendor risk questionnaires, due diligence documents, and the controls assessments provided by your SMEs. Auditors and examiners will ask for and review these documents.
- Contracts: Executed contracts and legal agreements must be retained and managed. Contracts and legal agreements must also be organized and accessible for easy review.
- Evidence of TPRM processes: If requested, you must provide auditors or examiners documented evidence of your processes. This could include inherent risk assessments, communications to and from your third parties or stakeholders, third-party risk questionnaires, due diligence documentation, and risk assessments, as well as documented performance management scorecards or reports, third-party presentations, documented exit strategies, etc. Any reporting provided to the board or senior management should also be retained.
- Issue management log: A documented inventory of issues, remediation plans, timing of remediation, accountability, and remediation statuses are essential pieces of documentation.
- Other documents: It’s also necessary to document specific components of your program such as the methodology used for risk rating third parties, criteria used for determining if a third party is critical, reporting formulas and values, and stakeholder training documents.
Implementing and Maintaining Effective Third-Party Risk Management
Third-party risk management will be unique for every organization. Some will have access to fully developed TPRM teams, while others need to operate with more limited resources. In order to ensure successful and efficient third-party risk management, here are a few tried-and-true strategies:
- Create an inventory: Ensure you have a full list of all your organization’s third-party relationships, but don’t limit it to just traditional vendors, service providers, and suppliers. Include all business relationships, such as your financial services providers, fintech partners, legal services, staffing agencies, consultants, revenue or profit-sharing relationships, subsidiaries, etc.
Your accounts payable department can provide a complete list of all entities that have received payment or compensation in the last 24 months. Check the list against your own to ensure all business relationships are included. You don’t have to include employees, customers, or investors. - Take a risk-based approach: Every third-party engagement is different. Make sure you apply your third-party risk management requirements and process based on the risk rating and criticality of the engagement. This ensures third-party vendors with elevated risk receive the required attention.
- Critical or high-risk third parties require the most robust due diligence and should be re-assessed at least annually.
- Moderate-risk third parties should be re-assessed every 18 months to two years.
- Low-risk third parties may not require much due diligence at all and can be re-assessed every two to three years.
- Utilize TPRM software: Managing all the processes and requirements of third-party risk management can be challenging, time consuming, and error prone if you’re dependent on manual processes, such as tracking emails and inputting and reporting data from multiple spreadsheets.
Dedicated third-party risk management software enables automation, keeps relevant data in a single place, can organize and store third-party documentation and records, send and receive third-party or stakeholder communications, provide automatic version controls, enhance reporting, and ensure appropriate record keeping. It’s typically designed to handle all the interdependencies of TPRM and can help your organization make the most of its resources. - Establish third-party risk management routines: You will be better able to maintain regulatory compliance, predict workload, keep stakeholders informed, and keep your TPRM processes on track by establishing and publishing a set of third-party risk management routines. Your organization should determine how often third parties are subjected to performance monitoring and risk re-assessments, the frequency for reporting to stakeholders, management, or the board, when and how often the policy is updated, and when to complete regular audits of the program.
- Practice continuous improvement: It's important to acknowledge that even the most effective third-party risk management programs can always be improved. This could be due to changes in regulatory requirements, inefficient processes, or a need for better education and training for stakeholders. To ensure your program is up to date, it's a best practice to conduct an annual review to identify any gaps and opportunities for improvement.
In today's rapidly changing business environment, it’s crucial to avoid having an "ignorance is bliss" attitude towards your third-party vendor relationships. Third-party risk management is intended to oversee and manage your organization's third parties, while identifying, assessing, managing, and monitoring their risks, which ultimately helps build and maintain resiliency, maintain your reputation, attract and keep customers, and protect your bottom line.
Third-party risk management is not only a regulatory requirement for many industries, but it’s also a best practice that provides strategic advantages to other areas of business operations and allows you to maximize the value of your third-party vendor relationships.
Related Posts
Third-Party Risk Management Principles to Follow for Cybersecurity Regulatory Compliance
Due to the prevalence of outsourcing, cybersecurity and privacy issues rank at the top of...
Overview of a Third-Party Risk Management Framework
Whether you're a business leader or an architect, it's important to realize that constructing...
FFIEC Development, Acquisition, Maintenance Booklet TPRM Highlights
The Federal Financial Institutions Examination Council’s (FFIEC) Development and Acquisition...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.