12 Ongoing Monitoring Best Practices for Third-Party Risk Management

The third-party risk oversight process doesn't end when the contract is signed. Your third parties’ performance and risk must be monitored on an ongoing basis throughout the life of the relationship. An effective third-party risk management (TPRM) program will maintain ongoing monitoring and follow best practices.

In this blog, we'll explore why ongoing monitoring is necessary to monitor your third party’s performance and how to identify new or emerging risks. We’ll also recommend 12 best practices and resources for ongoing monitoring.

Reasons Ongoing Monitoring Benefits Your Organization   

Here are three reasons ongoing monitoring in third-party risk management benefits your organization:

1. Ongoing monitoring is a strategic discipline that provides a clear picture of where you should focus your efforts.
   
   Ongoing monitoring requires discipline, and while we outline several best practices, they’re all designed to provide a deeper look into the third party to ensure you can identify and mitigate risk as much as possible. The information collected during this stage can highlight exactly where you need to pay attention. For example, suppose you're reviewing a third party’s most recent financial statement and notice a decline in financial condition. As a result, you would need to investigate the situation in order to determine if it would affect the products/services they provide to your organization (e.g., confirm they aren't planning to sunset a product or service).
2. Ongoing monitoring ensures your third party’s performance is acceptable and that the intended value of the relationship is being delivered.
   
   Organizations engage third-party vendors to help realize an opportunity or to solve a problem. If a third party has poor performance or is too risky, the value of that relationship declines. When the value of the relationship is not as expected, your organization can lose money, waste resources, and suffer reputational damage, regulatory actions, or fines. Ongoing monitoring is necessary to confirm the value and output of third-party relationships and to protect the organization and its customers from unnecessary risks.
3. Ongoing monitoring delivers high-value data that can be used in third-party risk management reports.
   
   Reporting to senior management and the board isn’t only a best practice for third-party risk management, but a regulatory expectation. The details of these reports will vary, depending on what your organization is trying to accomplish within its third-party risk management program. Third-party issues, new or emerging risks, and program compliance are just a few examples of metrics that might be reported to the board and senior management. Monitoring your third parties’ risk and performance and reporting that data will ensure your organization’s stakeholders can make informed decisions.  

12 Ongoing Monitoring Best Practices    

Here are 12 best practices to keep in mind for your third-party continuous monitoring efforts: 

1. Ensure data breach notification protocols are applied in the third party’s procedures and included in your contracts. This ensures your third party will notify your organization in a timely manner when they experience a breach and will take appropriate steps to safeguard your data. Cybersecurity incident disclosures are required with agencies like the Securities and Exchange Commission and the National Credit Union Administration.
2. Monitor consumer complaints submitted internally or from online sources such as the Consumer Financial Protection Bureau (CFPB) complaint database. This can help identify any third parties that could harm your organization’s reputation. If your third party delivers poor service to your customers, your organization will likely take the blame. 
3. Create Google Alerts. Each alert can be specific to your third party and include keywords that would cause concern if triggered. You should be aware of your third party’s reputation and watch for any negative news like lawsuits or data breaches that might reflect poorly on your organization. It’s also helpful to monitor news for alerts that may indicate financial trouble or performance issues with your third party, like layoffs and bankruptcy filings.
4. Incorporate commercially available third-party risk intelligence tools and services into your monitoring process. Risk intelligence services collect and analyze data from a variety of sources to provide unique insight into different third-party risk domains and supplement your organization’s oversight efforts.
5. Set reminders to monitor a third party’s quarterly financial filings if it's a publicly traded company. If it's a private company, request alternative documents such as audited or reviewed financial statements, tax filings, or a financial health letter. Financial filings can reveal red flags about the third party’s financial health and the possibility of operational consequences like a decline in service levels or an increase in cybersecurity risk.
6. Your organization should consider adding contractual obligations. This helps ensure the third party notifies you immediately if there is a change of leadership, pending litigation, or any other issue that might affect the relationship.
7. Implement regular third-party performance reviews to address quarterly performance and address any service level concerns. This confirms the third party is meeting contractual obligations and ensures they’re still delivering the intended value of the relationship. 
8. Provide a framework for feedback from the first line of defense (lines of business/business units). Meet regularly, track concerns, and address any legitimate issues raised. It’s important to stay engaged with the first line, ask for updates, and escalate any issues that they’ve identified before they become larger problems. 
9. Leverage social media outlets. Follow the third party on LinkedIn, X, and Facebook. Have updates sent to a separate email account, so your regular email doesn't get bogged down with information.
10. Subscribe to industry newsletters that may specialize in certain risk domains such as cybersecurity, compliance, or finance. This can help you stay informed of new or evolving third-party risks that require more attention.   
11. Check regularly for any litigation or enforcement actions. Regulators like the CFPB have an online database of enforcement actions. Litigation can also be tracked online through various fee-based sites or through a dedicated software platform.
12. Establish regular risk re-assessment and due diligence intervals to refresh risk data and ensure detailed subject matter analysis and reporting. The frequency of this should be based on the third party’s risk level. A general guideline for this is:
    
    • At least annually for critical and high-risk third parties
    • Every 18-24 months for moderate-risk third parties
    • Every 2-3 years for low-risk third parties, or before contract renewals

As part of your organization's third-party continuous monitoring process, you should record any third-party risk or performance findings as well as the required remediation. Be sure to track open issues through to completion and look for third-party risk or performance trends that may indicate new or emerging risks. If there are serious issues or red flags, inform your senior management and board of directors, especially if those issues concern a critical third party.

Ongoing monitoring is essential for identifying, assessing, and managing your third-party risk and staying ahead of serious problems.