Examples of Key Risk Indicators in Third-Party Risk Management

Effective third-party risk management (TPRM) programs help protect organizations against operational interruptions, security breaches, compliance violations, customer dissatisfaction, and financial loss. However, to ensure the TPRM program is efficient and effective, it’s essential to establish a system that can measure its health and performance.

This is where metrics come in – they’re measurements that evaluate whether objectives have been met and identify risks that need to be managed. In this blog, we’ll focus on program metrics, specifically key risk indicators (KRIs). We’ll explain how KRIs can be used to actively identify and manage TPRM program risks, which can help organizations identify gaps and areas for improvement, leading to better risk management outcomes.

Third-Party Risk Management Key Risk Indicator Examples

KRI metrics should cover various third-party processes, so you can get a clear picture of risks across the organization. Your metrics should include defined thresholds, which can depend on your organization and its risk appetite.

Let’s explore some examples of TPRM KRIs and the risks they identify:

Compliance – Vendors should not only be in compliance with laws and regulations, but also your organization’s internal rules and requirements. 

• Contracts: The organization optimizes the value of contracts as a tool for managing compliance risks.
  
  • Example of TPRM KRI: % of critical and high-risk vendor contracts reviewed/approved for complete regulatory compliance language. 
• Open vendor compliance issues: Vendors with open compliance issues pose direct compliance risk to the organization.
  
  • Example of TPRM KRI: Number of open vendor compliance issues. This can be through any channel, like risk monitoring, due diligence, risk re-assessment, customer complaints, etc.

Risk assessment – This is fundamental to effective risk management, and there are many risk assessment dimensions and processes that can be utilized as KRIs.

• Inherent risk assessment completion (product and service level): Not all products and services pose the same risks, nor do vendor relationships. As such, all vendors must undergo an inherent risk assessment for every product and service offered to create a risk rating at the product service level and an overall rating for the relationship. Be aware of any legacy relationships that may not have been risk rated previously.
  
  • Example of TPRM KRI: % of vendors with inherent risk ratings.
• Timely risk re-assessment: Vendor risk is constantly changing and evolving and delayed or missing re-assessments increase the risk of unidentified or growing risks.
  
  • Example of TPRM KRI: % of vendor risk re-assessments on schedule per risk rating.
• Concentration risk: Vendors providing multiple essential products or services can impact the organization on a greater scale should they fail.  
  
  • Example of TPRM KRI: % of critical or high-risk vendors within a 100-mile radius. Too many vendors in a small geographic area could be affected by the same business-interrupting event such as a power outage, natural disaster, etc.
  • Example of TPRM KRI: Number of critical or high-risk vendors providing more than one moderate to high-impact product or service. If these vendors fail, the impacts to the organization will be wider ranging and harder to control.

Due diligence – The due diligence process is meant to ensure the vendor has satisfactory risk management practices and controls in place to address known risks.

• Example of TPRM KRI: Number of due diligence exceptions made within a fixed time frame. If there are too many exceptions to this process, it becomes less effective.
• Example of TPRM KRI: Number of due diligence issues identified. If the due diligence process never uncovers any issues, it may not be comprehensive enough.
• Example of TPRM KRI: Number of due diligence issues with reviewed, approved, and timely remediation. If issues aren’t properly remediated, or aren’t remediated in a timely manner, then the risks remain unmanaged. Low rates indicate poor risk management.

Critical vendors – Critical vendors are those on whom your organization is operationally dependent and should they fail, there would be serious impacts on your organization or to your customers. 

• Example of TPRM KRI: % of critical vendors. Critical vendors should represent a fairly small percentage of your total vendor population (less than 15% approximately). A growing number of critical vendors may indicate that your criteria for determining critical vendors might need to be reviewed. 
• Example of TPRM KRI: Number of critical vendors with open issues. An increase in critical vendor issues (cybersecurity, compliance, financial health, business continuity and disaster recovery, performance, etc.) can indicate a number of serious problems, ranging from poor risk identification, performance or risk monitoring or management, or external changes and influences, and should call for immediate action.
  

Third-party risk exposure – Identifying KRIs across the vendor portfolio level vs at the process level can help your organization further identify where systematic risks exist.

• Example of TPRM KPI: % of critical or high-risk vendors with high cybersecurity risk.
• Example of TPRM KPI: % of critical or high-risk vendors with high compliance risk.
• Example of TPRM KPI: % of critical or high-risk vendors with high financial risk.

These are just a few of the many KRIs you could use as metrics for your TPRM program. 

Best Practices for Developing Third-Party Risk Management Key Risk Indicators

Although the examples above can be helpful, your organization’s specific TPRM KRIs will depend on your vendor engagements, organization’s goals, and risk appetite. It’s important to keep best practices in mind for TPRM KRIs. 

Here are five key concepts to consider as you develop your own:

1. Consider your organization’s risk appetite – In order to set reasonable targets and thresholds for risk, you need to first understand how much risk is acceptable in pursuit of your organization’s objectives.
2. Determine which risks are most meaningful – You can’t eliminate all risks, nor is it practical to measure them all, so it’s important to prioritize the development, measurement, and tracking of KRIs. 
3. Inventory core TPRM processes – This includes risk identification, due diligence, contracting, risk re-assessment and periodic due diligence, contract renewal, and terminations. What are the risks that exist when these processes are incomplete, ineffective, or not well-timed? Are some of those risks bigger than others? Do any of those risks create a domino effect?
4. Understand the consequences – Think about how your stakeholders’ actions and behaviors influence TPRM at your organization. What are the risks if someone fails to fulfill their roles or responsibilities or ignores established rules and requirements? 
5. Identify and test your data sources – Whatever data your organization uses to support your KRIs, they must be reliable, repeatable, and reportable.

Finally, once you’ve established your KRIs, you must be prepared to take action when risks are beyond acceptable limits. This means creating documented remediation plans that are timebound, tracked, and managed until the issues are closed and risks are under control. 

KRIs are not only essential metrics for measuring the health and effectiveness of your TPRM program, but they can also serve as invaluable risk management tools.