After publication, Venminder created and released a new, simplified third-party risk management lifecycle that is more user-friendly. Learn why we made this big change here. And, learn the stages of the new risk lifecycle here.
Third party risk management is the process of fully identifying all of the significant companies/vendors that aid in the delivery of a product or service to your organization or to your customers on behalf of the organization. Once the vendors have been identified, it involves controlling costs, evaluating service performance, mitigating risk and managing the overall vendor lifecycle.
What Is a Third Party?
A third party is a vendor with whom your organization has a direct contract with for a product or service. You have outsourced a product or service to this vendor.
Guidance You’ll Want to Know
OCC Bulletin 2013-29 is often referred to as the gold standard of third party risk guidance. It’s this guidance that really put a focus on the overall lifecycle of third party risk and the importance of each phase. Basically, if you don’t skip a phase of the lifecycle, you should be managing third party risk at your organization quite well.
The 5 Vendor Lifecycle Phases
These phases are a key component of third party risk.
- Planning – In third party risk management, it’s important to establish firm guidelines. These guidelines include the policy, program and procedures documentation.
- Due Diligence & Third Party Selection – Implement a pre-contract vendor vetting standard. Follow this when selecting a new third party.
- Contract Negotiation – In third party risk, contract negotiation is a key foundation to the program. It’s where you can set each parties’ (your organization and the vendor) responsibilities and expectations.
- Ongoing Monitoring – An often-forgotten phase of third party risk is ongoing monitoring. This means continuously monitoring the vendor for new risks. In order to do this, due diligence will need to be performed annually or periodically based on the vendor’s risk level. Due diligence tends to include risk assessments, SOC reviews, financial reviews, performance assessments and much more.
- Termination – Sometimes a vendor relationship must end. A vendor’s failure to perform or maybe even that the vendor’s business closed. Whatever the case may be, there should be a plan in place to replace the third party or bring the function back in house.
Tips for Third Party Risk Management Results
If your organization performs third party risk well, you will have a strong vendor risk program in place that examiners find to be satisfactory.
Here are 4 considerations that you’ll need in order to do third party risk well:
- Board and senior management involvement – especially regarding critical vendor activities.
- A policy, program and procedures to be used as guidelines to follow.
- Due diligence analyses – not only should you be gathering due diligence, but you’ll also need to thoroughly analyze the documentation too.
- A deep understanding of the regulatory guidance.
Third party risk can certainly be an overwhelming concept and prevent unforeseen challenges to tackle at times. However, with the right resources, and a clear grasp of your organization’s third party risk expectations, it becomes much easier to manage.