We can all agree there’s been an evolution of third-party risk management. Those shifts have been necessary to keep up with emerging risks, rapid-fire changes and technological advancements that are part of today's business world. And, while keeping up with these changes keeps us all busy, one particular element of third-party risk management hasn't changed: the third-party risk management lifecycle. That is… it hasn't changed until now.
The OLD TPRM Lifecycle:
A dizzy wheel of overlapping processes
Whether you’re an experienced professional or new to vendor risk management, you’re likely aware of the third-party risk management lifecycle. Often represented as a rotating wheel, the third-party risk management lifecycle symbolizes the repeated processes of identifying and managing the risks associated with your vendor for the lifetime of the relationship.
But does the rotating lifecycle ever make you dizzy?
Do you know where each stage begins and ends?
Have you ever wished for a more user-friendly explanation of when and how the onboarding, ongoing management and offboarding of your vendor relationships occur?
If you or your stakeholders have been confused by the circular depiction of how you should manage vendor risk, you are not alone.
Let's face it. Vendor risk management is a complex process, but it doesn't have to be THIS confusing. As leaders in the third-party risk management space, we also had built our own dizzy wheel but as we’ve watched others in the market continue to add ALOT more complexity to their wheels, we’ve seen growing confusion and project paralysis as people got overwhelmed trying to understand third-party risk management process. It became very clear as we listened to our peers and customers, that vendor risk managers, and their stakeholders, need better and easier-to-understand processes vs. adding more complexity.
The NEW TPRM Lifecycle:
A linear path of three stages
Venminder is a company dedicated to simplifying the third-party risk management process. We live to make third-party risk and vendor risk management accessible, effective and straightforward. And speaking of straightforward, we are saying goodbye to the circular lifecycle. We are excitedly replacing it with a new and improved linear path.
Yes, you read that correctly… Venminder has retired the wheel.
Venminder has retired the wheel. While we’re at it, we’ve simplified the lifecycle into three simplified stages: Onboarding, Ongoing and Offboarding.
So, why a Linear Path?
If you are thinking, "Wait, can they do that?" Let us share the compelling rationale for this change.
- The actual lifecycle for any vendor relationship only consists of three stages: the beginning (onboarding stage), the middle (the ongoing stage) and the end (the offboarding stage).
- Some specific activities are repeated during the ongoing stage (risk assessment, performance monitoring, refreshed due diligence, etc.) However, many of the activities are only done once at the beginning or end of the relationship. Not everything repeats as characterized by the rotating wheel.
- The linear lifecycle can work for any organization of any size, regulated or not.
- Stakeholders with limited understanding or expertise can easily follow the steps and activities throughout the lifecycle and understand the different risk considerations during each stage of the lifecycle.
At this point, you might ask: "Isn't the circular lifecycle a regulatory standard?" And that is an excellent question, as regulatory guidance has also been the foundation for today's best practices. All third-party risk management lifecycle activities, detailed in various regulatory guidance, are considered and incorporated into the new linear lifecycle and its three stages. Furthermore, the new linear third-party risk management lifecycle is supported by the same foundational elements of accountability and oversight.
About our New Linear Lifecycle
The new linear third-party risk management lifecycle provides important clarity for all stakeholders, leading to improved vendor risk management practices.
While not exactly rocket science, changing the revolving wheel into a path makes A LOT of sense, especially when you think about the three stages of a vendor lifecycle. The three stages are:
- Onboarding: This is the stage at the beginning of the vendor relationship where the organization plans the relationship with the vendor, determines the owner of the vendor relationship and identifies and assesses the risk of the new relationship. During onboarding, the organization determines if the relationship will be critical to its operations or customers. Once the risks and criticality are known, creating a realistic exit strategy for ending the relationship is essential. Then it is time for risk-based due diligence to validate your vendor's control environment. After due diligence is complete, the contract negotiations are finalized and executed. Your vendor is officially on board.
- Ongoing: Your vendor actively provides products and services to your organization or its customers during this stage. In turn, healthy third-party risk management practices require you to monitor vendor performance and new or emerging risks, periodically conduct and complete risk assessments and refresh your due diligence. Suppose you intend to renew the contract. In that case, your organization will need ample time to prepare and renegotiate the contract.
- Offboarding: Vendor relationships do come to an end eventually. It might be because the work has been completed, your organization's needs have changed or the vendor's performance hasn’t met expectations. Whatever the reason, your organization needs a standardized process to safely and soundly exit the relationship and tie up any loose ends.
Three stages. It sounds so simple, and in many ways, it is. That isn’t to say that there is no complexity to third-party risk management. Effective third-party risk management depends on the timely, accurate and detailed completion of many interdependent processes, but there are better ways to reach the goal. Keeping the third-party risk management process straightforward and easy to understand is one of the best ways to accomplish the objective.
We’re very excited about this change as it will simplify the process for many third-party risk practitioners and their stakeholders. We avidly believe the new lifecycle will improve third-party risk management as a result.
So, farewell third-party risk management wheel; we are on a more straightforward path now!