Identifying and Documenting Third-Party Risk Management Issues
Track TPRM issues throughout the vendor lifecycle.
No matter the vendor, there may be issues that arise at any point in the vendor relationship. In this podcast, learn examples of third-party risk management issues you may encounter and what to do next.
You may also be interested in:
Hi - this is Jill Sherman with Venminder.
Third-party risk management issues can occur at any stage of the lifecycle, from the initial vendor due diligence to the termination of the contract. No matter how much planning you do, it’s likely that you’ll have to face a few unexpected scenarios that can increase risk for your organization.
In this podcast, you'll learn a few examples of third-party risk management issues and why you need to document and manage them.
Here at Venminder, we have a team of third-party risk management professionals who can help establish an effective issue management process. That includes identification, documentation, and overall management.
Issue management is an essential practice that identifies, remediates, and tracks issues in your third-party risk management program. Without proper documentation, these issues might go unresolved, which causes you to overlook risks that can harm your organization.
Some issues might originate on the vendor side, such as a decline in contractual performance or a vendor disruption that was not communicated well to you as the customer. But other issues can be found internally to your organization.
For example, maybe there are inefficient processes that are costing extra time and money. Let’s review a few examples of issues and why they need to be documented.
- The first example we’ll look at is an issue found within the due diligence process. Imagine that you’re reviewing a vendor’s business continuity and disaster recovery plan during your ongoing due diligence and you discover that the testing results are outdated.
You let the vendor know that they need to provide new and current testing results before the next due diligence period. As the next review period comes around, you realize that the testing results remain outdated. This would be an issue that needs to be formally documented so that you have a record of the vendor’s non-compliance. Documentation could then be used to help make decisions about contract termination.
- In this next example, the due diligence issue is caused by your organization, not the vendor. Due diligence should always be reviewed by a qualified subject matter expert who specializes in a specific risk domain. That could be financials, information security, business continuity, and more.
The subject matter expert is responsible for providing a qualified opinion on whether the vendor’s controls are sufficient. But in this case, your organization doesn’t have the appropriate subject matter expert who can review the vendor’s due diligence.
Documenting this issue may help provide evidence that your third-party risk management program needs additional resources to run more effectively or that you should outsource this activity.
- The last example is an issue with the vendor’s performance. It’s important to continuously monitor your vendor’s performance to make sure that it’s meeting contractual obligations.
Maybe your vendor provides a service for your customers, and you’ve implemented a service level agreement about the system’s uptime. Your contract states that the system must be available between 99 - 100% every month. The issue develops when the uptime falls to 97% three months in a row.
An issue like this would put your reputation at risk and might impact your customers’ operations, so it’s critical to document this decline in performance. That will help you determine whether this warrants an end to the vendor relationship or escalation to their management for discussing the contract breach and efforts to avoid it in the future.
Now you have a better idea of the issues that can occur in third-party risk management and why it’s important to document them. There’s no such thing as a perfect vendor relationship where everything goes according to plan, so it’s essential to identify and document issues that can expose your organization to additional risk.
Even if the issues are more prevalent in your vendor’s processes, your organization is still responsible for documenting and resolving these problems to create a safer third-party risk relationship.
Thanks for tuning in; Catch you next time!
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources, and more to your inbox.