Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

A Walk Through the Interagency Guidance Third-Party Risk Management Lifecycle

6 min read
Featured Image

Three federal agencies have traditionally set the standard for effective third-party risk management. These agencies are the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC). The agencies have most notably published the Interagency Guidance on Third-Party Relationships: Risk Management. The guidance includes a simple lifecycle graphic lifecycle, with an extensive description of each component to guide third-party engagements.

Even if your organization isn’t regulated by these agencies, it’s well worth your time and effort to familiarize yourself with this lifecycle to ensure you’re following best practices. It’s also helpful to understand Venminder’s linear lifecycle, which can help simplify the process of managing third-party relationships, while still maintaining compliance. 

The Interagency Guidance Third-Party Risk Management Lifecycle

interagency guidance third-party risk management lifecycle

  1. Planning – An organization should understand how to manage third-party risks before beginning a third-party relationship, especially when it involves critical or high-risk activities. This involves assessing the benefits and risks of the third-party relationship. Things to consider include:

    • The third party’s use of subcontractors 
    • How the third party will affect the organization’s customers
    • How the organization will assess, select, and monitor its third parties to ensure they remain 
      compliant
    • The organization’s contingency plans if it needs to switch to another third party or bring the outsourced activity in-house
  2. Due Diligence and Third-Party Selection – The agencies make it clear that an organization should not select a third party without first conducting a thorough round of due diligence, which involves obtaining relevant information from the third party. This process serves two purposes:

    • Helps determine whether a third party can help an organization achieve its strategic and financial goals
    • Helps determine whether the organization can appropriately manage the third party’s risks

    Each third-party relationship will offer different benefits and risks, so due diligence should be based on the risk of the outsourced activity. The guidance provides a list of recommended factors to consider when conducting due diligence, including the third party’s: 

    • Business strategies and goals
    • Financial health and risk management policies
    • Information security implications 
    • Operational resilience
    • Incident management processes 
    • Reliance on subcontractors
  3. Contract Negotiation – The Interagency Guidance includes several important considerations in this section that go beyond typical contract components like cost and duration of contract term. Third parties may offer a standard contract template, but an organization should consider additional provisions or modifications that will satisfy its unique needs. Those provisions may include: 

    • Performance benchmarks
    • Insurance requirements
    • Subcontracting
    • Dispute resolution
    • Data retention specifications 

    A right to audit clause will ensure an organization can collect certain information on request, such as SOC reports or financial and operational reviews. The guidance also suggests that an organization should think about choice-of-law and jurisdictional contract provisions when using foreign-based third parties
  4. Ongoing Monitoring – This stage will generally include reviewing the third party’s performance and the effectiveness of its controls, as well as meeting with the third party to discuss issues related to performance and operations. An organization should regularly test its own controls to ensure they can properly manage third-party risks. These ongoing monitoring activities should be designed to do the following:

    • Confirm that the third party’s controls are effective and sustainable
    • Escalate issues or concerns such as poor financial health, security breaches, inconsistent service, and noncompliance
    • Respond to issues once they’re identified
  5. Termination – Organizations must consider how to effectively terminate a third-party relationship. Termination may occur because an organization wants to find an alternate third party or bring the activity in-house, or because the contract is expiring. Termination can also occur because the activity is being discontinued or the third party has breached the contract. Whatever the reason, an organization needs to consider details such as termination costs, how to manage third-party risks that occur with data retention and destruction, and whether this termination will impact its customers. 

linear third-party risk management lifecycle

In addition to the five phases of the lifecycle, the guidance recommends you keep the following three items in mind:

  • Oversight and Accountability – An organization’s board of directors should have ultimate oversight of its third-party risk management activities. The board of directors should provide guidance on the organization’s risk appetite, while senior management should be responsible for developing third-party risk management policies, procedures, and practices.  
  • Independent Reviews – Conduct periodic independent reviews of your third-party risk management program to assess its effectiveness. Reviews should consider whether third-party risks are effectively identified and monitored, and whether the organization has enough staffing and expertise to properly manage these risks. Independent reviews will help identify any gaps or any changes that need to be made.
  • Documentation and Reporting – Have a good method in place for maintaining documentation and reporting. Some details to document may include a current third-party inventory, risk assessments, due diligence results, and risk and performance metrics. The agencies recommend periodic reporting to the board, especially if the organization is dependent on a single third party for multiple activities. 

A Simplified Interpretation of the Third-Party Risk Management Lifecycle 

venminder third-party risk management lifecycle

The Interagency Guidance depicts the third-party risk management lifecycle as a rotating circle with clearly labeled activities. Although this version is accurate, it can also create some confusion for those that may not be entirely familiar with the intricacies of third-party risk management. This circular lifecycle doesn’t clearly depict a beginning and ending, nor does it describe which activities are repeated throughout the third-party relationship. For example, termination and planning are listed side-by-side in the circular lifecycle, indicating that they repeat, but these activities are only performed once throughout the vendor relationship.

A linear third-party risk management lifecycle describes the same essential activities, but in an easier-to-follow method. This representation shows the progression of steps, which gives users a simple reference point throughout the third-party relationship. 

Here are some of the benefits of following a linear lifecycle:

  • Supports regulatory expectations – Although the linear lifecycle looks slightly different, you can rest assured that it follows the same guidelines set forth in the circular lifecycle. Each component is still represented, including the foundational elements of oversight and accountability, documentation and reporting, and independent reviews. 
  • User-friendly lifecycle stagesOnboarding, ongoing, and offboarding activities are clearly outlined in the linear lifecycle, giving organizations an easier way to identify which step to follow next. At any given time, your organization might have multiple third parties in each stage of the lifecycle so it’s important that stakeholders can see this represented in a simple format.
  • Improved understanding of ongoing activitiesOngoing monitoring generally includes the assessment of a third party’s risk and performance, but there are other factors to consider, which are listed in the linear lifecycle. Contract renewals and periodic due diligence should also be included in the ongoing stage of the lifecycle.

Following the Interagency Guidance lifecycle is an important practice to ensure that your organization is compliant with regulatory expectations. While following the circular lifecycle is helpful, it’s worth considering referencing a more linear lifecycle that will keep your organization compliant and better prepared to consistently manage third-party risk. 

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo