Overview of a Third-Party Risk Management Framework

Whether you're a business leader or an architect, it's important to realize that constructing anything, whether it's a software program or a physical building, requires the right support structure. This principle also holds true for the development of a third-party risk management (TPRM) framework. Attempting to tackle the task without adequate planning, documentation, or the right components can lead to costly and time-consuming repairs or revisions.

In this blog, we'll dive into the essential components of a third-party risk management framework and provide guidance for creating one. 

Developing a Third-Party Risk Management Framework

Building a robust third-party risk management framework isn’t something that happens overnight – it takes careful planning and a lot of hard work, but is always worth the effort. If you’re tasked with building a third-party risk management framework from the ground up, it can be helpful to take an approach that includes the following steps:

1. Read the blueprint – Identify framework boundaries and requirements.
2. Prepare the infrastructure – Decide on your third-party risk management model, roles, and responsibilities.
3. Lay a solid foundation – Determine oversight and accountability and develop governance documents.
4. Build out framework processes – Implement the third-party risk management lifecycle stages and activities.
5. Inspect your framework for quality and safety – Solicit stakeholder feedback, self-audit your third-party risk management framework, and mature the framework with continuous improvement.

Let’s dive deeper into each of these components.

1. Identify Third-Party Risk Management Framework Boundaries and Requirements

Third-party risk management frameworks should have defined requirements and boundaries. Taking the time to identify regulatory requirements and the organizational objectives for implementing third-party risk management can help you properly scope and scale third-party risk management at your organization.

• Determine applicable regulatory requirements – Check whether your organization falls under the regulation of a government entity that has released any guidelines or expectations for third-party risk management. This can serve as a starting point to develop your third-party risk management framework. Even if you’re not part of a regulated industry, it’s important to remember that industry best practices for TPRM have evolved from regulatory guidelines, such as the Interagency Guidance on Third-Party Relationships. Familiarizing yourself with these regulatory requirements can help ensure your program and framework aligns with best practices.
• Define the scope of the third-party risk management program – To optimize your time and resources, stipulate the scope and boundaries of your third-party risk management program. To do this, your organization must decide how it defines a third party (vendor, service provider, supplier). There are some types of third parties, such as customers, clients, and government entities, that should be excluded. Your organization will need to decide what and who falls in scope and document it.

• Inventory your vendors – Completing this process will require effort, but it should be relatively straightforward since you’ve already determined the program's scope. Work with your accounts payable department to compile a list of vendors and third-party providers within the scope, including any pertinent information such as contract numbers and vendor owners. Be sure to document this information carefully and ensure there’s a process to keep this data current.

2. Determine Third-Party Risk Management Framework Model, Roles, and Responsibilities

Once you’re clear about the requirements you need to meet and how many vendors there are to manage, it’s time to think about how the TPRM function will exist in your organization and who will be responsible and accountable for the work. This is where the third-party risk management framework comes in.

• Specify the model of your framework. When establishing a third-party risk management framework, a good starting point is to figure out the best way to structure the TPRM function within your organization. The right organizational model can ensure that resources are used wisely and that the right people are engaged.
  
  There are several third-party risk management framework models to choose from:
  
  • Decentralized – In this model, there isn't a formal third-party risk management program or a dedicated team. Multiple stakeholders complete work. Risk assessments, due diligence, and contract management are parsed out among different departments.
  • Centralized – This model is built with a dedicated third-party risk management team or function completing the majority of work; this ensures much more oversight and accountability of all the tasks associated with third-party risk management. There’s more robust, streamlined communication between the TPRM team and other departments within the organization in this approach.
  • Hybrid – The hybrid approach is especially beneficial for larger organizations. Generally, it includes an organized third-party risk management office that sets the guidelines, delegates tasks to different areas, and monitors those tasks throughout the lifecycle. Individual vendor owners or managers are responsible for performing specific third-party risk management tasks and activities.
• Identify roles and responsibilities. Once you've determined the best model for your organization, it's time to build out roles and responsibilities. In most organizations, third-party risk management responsibilities are typically assigned to one of three lines of risk management:
  
  • First line – Within the first line, duties related to third-party risk management are typically assigned to a designated vendor owner or manager (within the business unit). They’re responsible for the day-to-day vendor relationship and for managing all the risks associated with it.
  • Second line – The second line is the group responsible for the third-party risk management framework and program, which includes the development of the rules, tools, and processes that make third-party risk management possible at the organization. They’re also responsible for the coordination and oversight of required tasks, documentation, reviews, and reporting related to each stage of the third-party risk management lifecycle. The second line is responsible for reviewing and challenging first-line risk assessments, tasks, or deliverables as needed. Other stakeholders like subject matter experts are also part of the second line.
  • Third line – Typically, internal audit fulfills the responsibilities of the third line. Internal audit provides an independent and objective assessment of the effectiveness of the third-party risk management program. These audits and reviews help ensure the program is operating efficiently and effectively and that all risks are being appropriately identified, monitored, and addressed. They also ensure the third-party risk management program complies with relevant regulations and standards. Other roles that fall within the third line include regulatory examiners and certifying bodies.

3. Develop Third-Party Risk Management Framework Governance Documents

After determining a third-party risk management framework model, the next step is to lay a solid foundation to ensure it will be effective. The elements of a strong foundation include documentation and reporting, oversight and accountability, and independent third-party review.

• Develop governance documents. This is an important first step. Governance documentation refers to a collection of formalized policies, standards, processes, and guidelines that are documented. This documentation serves as a reference for stakeholders at all levels, providing them with information on the rules, obligations, responsibilities, and procedures involved in TPRM at the organization. It ensures consistency in the execution of TPRM and helps maintain transparency and accountability.

Formal governance documents communicate responsibilities, rules, requirements, and expectations. These documents fall into three categories – policy, program, and procedures:

1. Policy – Defines the rules and requirements of the program, oversight, and governance, and broadly describes roles and responsibilities for TPRM. If the organization is subject to regulations, the policy should specify applicable regulations. Policies should be reviewed and approved by the board of directors and senior management.
2. Program – This document supplements your policy and includes specific details of your organization's TPRM structure, responsibilities, and tools. It details the processes used to meet the policy requirements. These documents aren’t mandatory but are considered a best practice. Your organization may wait until the third-party risk management framework is defined and the processes are stable before developing this document.
3. Procedures – These are step-by-step instructional guides on how to perform the processes to meet the policy requirements. Good procedures are simple and easy to follow and are specific to a single process and stakeholder at a time. Procedures can be developed as processes become stable.

• Establish oversight and governance. It's essential to have proper oversight and accountability for the TPRM program. This oversight should start with the board and flow through management to the entire organization. Each individual and team should have clear accountability for effectively executing third-party risk management. Formal oversight mechanisms, such as regular review by a risk committee, are necessary to ensure the TPRM program is working correctly and that issues are managed effectively.

4. Implement Third-Party Risk Management Lifecycle Stages and Activities

Now that you have an infrastructure supported by a strong foundation, it's time to build out your third-party risk management processes. This step can be straightforward if you follow the third-party risk management lifecycle. The lifecycle is a comprehensive map that outlines the necessary third-party risk management activities, their order, and required actions.

• Onboarding – The first stage includes the following activities, which are essential to begin a safe vendor relationship:
  
  • Planning & Risk Assessment – Determining both the inherent risk and criticality of a vendor is fundamental to successfully mitigating all potential outsourcing risks. Inherent risk is based on the hazards present in the product or service and relationship. Criticality pinpoints the business impact your vendor may have on your operations or customers should they fail.
  • Due Diligence – Collecting and reviewing documented evidence of a vendor's risk controls and practices is necessary to assess the sufficiency of the vendor's control environment and whether it can effectively mitigate identified risks. This information can help you decide whether to proceed with the contracting process.
  • Contracting – This process includes all the necessary activities of negotiating, drafting, approving, storing, and managing the contract. Service level agreements (SLAs) and other contract provisions will also be involved in this process.
• Ongoing – Throughout the lifecycle, you'll want to periodically request, collect, and re-assess vendor due diligence, inherent risk, and criticality.
  
  • Re-Assessments – A vendor's risk must be re-assessed regularly. Data breaches or a decline in performance should initiate more frequent re-assessments. The recurring basis for critical and high-risk vendors should be at least annually. Moderate and low-risk vendors can be re-assessed less frequently.
  • Monitoring & Performance – This involves tracking and monitoring SLAs and monitoring a vendor's risk profile.
  • Renewals – A vendor contract should be formally reviewed mid-term, giving you enough time to renegotiate. However, it's also important to perform ongoing contract management by identifying gaps or issues and assessing the vendor relationship for performance standards.
  • Due Diligence – Some due diligence documents, such as insurance certificates or testing results, can expire or become invalid. Remember to track any documents that expire and request new ones as needed.
• Offboarding – Whether your vendor relationship is closing at the end of a contract, or you need to part ways earlier than expected, you'll need to consider the following details:
  
  • Termination – Notify the vendor that the contract won't be renewed or you're terminating early.
  • Exit Plan Execution – An exit strategy eases the transition, ties up any loose ends, and minimizes disruption.
  • TPRM Closure – This involves administrative tasks such as updating your system, organizing the vendor documents, and paying any final invoices.

5. Inspect Your Third-Party Risk Management Framework

Once your third-party risk management framework is established, it's important to review it on a regular basis to ensure that it’s working as intended. Even the TPRM program may need an occasional re-adjustment. Monitor your program by doing the following:

• Solicit feedback on the third-party risk management framework – Managing third-party risks can pose a challenge for some individuals. If any stakeholders express concerns or face difficulties during the process, it’s essential to acknowledge their feedback constructively. By actively listening and considering their input, you can utilize it to improve the program. Communicating this to your stakeholders will also demonstrate the value your organization places on their feedback and help build trust in the program.
• Self-audit your third-party risk management framework – Compare your program to regulatory requirements and best practices to determine if there are any gaps or issues. If you discover deficiencies, document them and create a time-bound plan to remediate the issues.
• Mature your framework through continuous improvement – Managing third-party risks is a crucial aspect of any business, and building an effective third-party risk management framework is key to mitigating risks. While it’s no easy task, the continuous evaluation of the framework can bring about significant improvements.

Here are two tips to improving your third-party risk management framework:

• Enable vendor managers to understand and execute their tasks with ease. In case of any challenges, it’s essential to take constructive steps such as providing additional training, adjusting workflows, or re-writing procedures to enhance their understanding and improve the overall third-party risk management process.  
• Consider third-party risk management software. If you manage your documents and records through a manual process, third-party risk management tools can help uncomplicate the process. Using a single document repository and automating workflows and reporting can streamline your process, ultimately leading to better risk management.

Developing a strong and scalable third-party risk management framework can provide significant benefits to your organization. This can be achieved through carefully considered and implemented requirements, rules, tools, and processes. A robust TPRM framework is necessary to reduce the likelihood of third-party risks, minimize financial and reputation damage, and enhance compliance with regulatory requirements. It can also ensure more effective resource allocation and accountability for those responsible for TPRM.