Third-Party Risk Management Lifecycle
INTERACTIVE GUIDE TO THE
Get Started
Foundations
Scoping
Stage 1
Stage 2
Stage 3
Stage 4
Termination
Overview
Download Toolkit
Learn the steps of the lifecycle to protect your organization from vendor risks. Within this toolkit, you will receive: - eBook - Infographic - PowerPoint Template -Printable PDF
Download Free Toolkit
Foundation
Download eBook and Infographic
Use this interactive guide as a quick overview of the third-party risk management lifecycle you should use when managing your vendors.
Begin
Learn about foundations
Learn about the foundation:
Supporting Elements
FOUNDATION
There are peripheral activities that help guide, manage and integrate the lifecycle.
Determining oversight and accountability roles and requirements is generally done by a board of directors or executive leadership team and communicated through official, governing documents.
Oversight & Accountability
It’s important to create third-party risk management governance documents. A policy, program and procedures are common governance documents used to assist in communicating third-party risk management roles and responsibilities throughout an organization.
Documentation & Reporting
Think of independent audit and third-party assessors as assets – ones that can keep you honest, help ensure your program meets regulatory guidance and tests you to make sure you can prove that you’re doing what you should, at any given time.
Independent Reviews
Next
Go There
Learn about Scoping:
Scope for what does and doesn’t need to go through this lifecycle process.
Scoping is defining what a vendor, service provider or third party is to your organization. Customers, clients and potentially certain partner types should generally be excluded from this process.
What is it?
A good best practice would be to establish a repeatable process to help verify all the appropriate relationships make it to the lifecycle by reporting the new relationship to the folks that manage it. This could be anything from sending an email to submitting a ticket to let risk managers know there is a potential new vendor being considered. Ideally, this would be the time when third-party risk professionals make a determination on whether the engagement falls in scope for further vetting.
Best Practices
Inherent Risk & Criticality Assessment
Learn about the first stage:
What you'll learn
What each stage is What to know for each stage Behind the scenes tasks you need to complete throughout the lifecycle
STAGE 1
Helps determine the highest amount of risk that the engagement could potentially pose your organization .
Determining the inherent risk and criticality is an imperative first step of a vendor engagement as it paves the way for appropriate and risk-based due diligence. Inherent risk is the assessment of risk, based solely on the nature of the relationship – without consideration to any precautions or controls that are in place. This is often rated by a tiered system, typically on a scale of low, moderate and high risk. Criticality is a determination of the business impact an engagement may have or whether or not a particular service would be critical to your internal operations. This is typically classified as a critical or non-critical vendor.
A good best practice would be to establish a repeatable process for verifying all the appropriate vendors who should be in scope and go through the lifecycle actually do. To do this, ensure there's a method or process in place that sends reports related to those vendors to the folks that manage them so that they're aware.
Example
Due Diligence & Residual Risk Determination
Learn about the second stage:
Now that you understand the inherent risk, as well as how critical that service might be, you can determine the best way to ensure that risk is mitigated appropriately and effectively. To do this, conduct due diligence. Conducting due diligence is another way of saying make sure to do your homework. Know what you’re getting yourself into. Do some research before drawing lines between your organization and another. The process for doing this is essentially done by collecting and validating information from and about the vendor, then taking into account controls that mitigate, or reduce, the inherent risk.
STAGE 2
Determine the best way to ensure the inherent risk is mitigated appropriately and effectively.
Vendor Selection & Contract Management
Learn about the third stage:
STAGE 3
Administration of written agreements with third parties that provide your organization with products or services.
Now that you’ve completed a risk assessment by identifying both the inherent and residual risk levels, and if the relationship’s residual risk is acceptable, it’s time to consider the contract. For new engagements, you can wisely determine which vendor you want to move forward with, and for existing vendors, you can use the risk assessment and due diligence data to determine if any provisions should be made in the next contract review. And, ensure to keep track of important contract term dates and SLAs along the way.
Ongoing Monitoring
Learn about the fourth stage:
STAGE 4
It’s important to keep an eye on your vendors after you sign a contract to ensure you’re remaining aware of any new risk posed.
Regularly run reports – Report vendor activity regularly to senior management and the board to keep them in the loop. Escalate as needed, too.
1
Set up SLA tracking – SLA tracking is critical to understanding how a vendor is performing, so be sure to set up a method, possibly in a platform, to track these metrics.
2
Use an open-source monitoring tool – This should give notifications on significant vendors throughout the engagement.
3
Base review schedules on inherent risk – If a vendor is inherently high risk, but moderate residual risk, you’ll want to review on a high-risk frequency.
4
Set an ongoing monitoring standard – It should make sense for your organization and resources. However, a general rule of thumb would be review critical and high-risk vendors annually, moderate risk every 18 months to two years and low risk every two or three years.
5
Stick to your internal third-party risk management policy – Examiners will want to see that the work product matches what is stated in the policy.
6
Learn about Termination
Learn about Termination:
Now that the risk assessment, due diligence and contract execution are complete, the ongoing monitoring stage begins. This is extremely important to do. It’s important to keep an eye on your vendors after you sign a contract to ensure you’re remaining aware of any new risk posed. Ongoing monitoring includes: • SLA tracking and monitoring • Staying abreast of any issues or changes • Periodic risk assessments
Finally, there comes a time when an engagement must come to an end. Be it because of a vendor’s failure to perform, a contract term is up or you just need to move on to bigger and better things; there should always be some consideration into how the termination processes may look for any particular vendor. Follow your exit strategy and be sure you’re terminating the relationship in accordance with contracted terms.
Finally, there comes a time where an engagement must come to an end.
Download Now
Download the Toolkit
