The Lifecycle Approach to Third-Party Risk Management

Podcast Transcript

Hello there, this is Kelly Vick with Venminder

In today’s podcast, we’re going to talk about the lifecycle approach to third-party risk management and how it can help your organization better identify, assess, mitigate, and manage third-party risks throughout your vendor relationships.

Here at Venminder, we have a team of certified industry experts that can help your organization with every step of the lifecycle, from onboarding, ongoing monitoring, and offboarding. 

For many organizations, managing third parties throughout the entire relationship can be challenging, particularly as third-party inventories continue to grow. Fortunately, there’s a tried-and-true roadmap known as the third-party risk management lifecycle that can help. 

So, let’s take a quick look at the three stages of the third-party risk management lifecycle:

• The first stage in the lifecycle is onboarding. It consists of planning, risk assessments, due diligence, and contracting. Following these steps ensures your organization has performed all the necessary activities before signing the third-party contract. It also helps you determine how to manage the relationship moving forward.
  
  During the onboarding stage, you’ll plan for the vendor relationships and identify, assess, and mitigate the risks with the vendor’s product or service. You’ll also determine who will be responsible for managing the relationship. 
  
  Onboarding is an ideal time to develop an exit strategy to determine what your organization will need to do to exit the vendor relationship. Risk-based due diligence is an essential component of onboarding, where you’ll perform a deep dive into the vendor’s risk management practices and controls to determine if they’re sufficient. Finally, developing and negotiating the vendor contract so that risks are managed, and performance expectations are met sets the foundation for a successful relationship.
  
  
• The second stage is ongoing monitoring. It’s designed to help organizations keep a close eye on vendor relationships. You’ll identify if there are any new or emerging risks, if the third party’s risk profile has changed, and whether the third party’s controls are still sufficient to manage the known risks. 
  
  During ongoing monitoring, your organization should perform periodic risk re-assessments and due diligence, as well as consistently monitor both risk and performance. The intensity and frequency of each of these activities should be determined by both the risk and criticality of the product or service. Careful and consistent monitoring of your third-party relationships identifies problems and helps address them before they become material issues. Monitoring also provides essential information to determine if a contract should be renewed or terminated. 
  
  
• The third and final stage is offboarding. When a third-party relationship comes to an end, it’s important to be able to exit it safely. The offboarding stage includes formal termination, executing the exit plan, and performing final closure steps. 
  
  During offboarding, your organization should carefully plan and refer to the third-party contract, seeking support from your legal team when necessary. It’s also important to review and finalize your exit plan so both your organization and the vendor understand their roles and responsibilities as the relationship comes to a close.
  
  Finalizing key details, such as revoking vendor access, ensuring data has been returned or destroyed, and reviewing final invoices, are essential steps in securing a safe vendor exit. Remember to change the vendor’s status in key systems such as access management, procurement, and accounts payable. Vendor documentation should also be organized, appropriately archived, and accessible for any future audits or regulatory exams.

These three stages of the lifecycle are supported by three foundational elements of governance – oversight and accountability, documentation and reporting, and independent review.  Let’s look at these a little closer:

1. First, oversight and accountability defines and documents how the third-party risk management program is managed and who is responsible and accountable for each task and function. Typically, the board of directors and senior management, being the highest authorities and responsible for the effective execution of third-party risk management, determine the oversight and accountability roles. 
2. Next, documentation and reporting ensure all rules and requirements, as well as roles and responsibilities, are formalized through documents such as policies, programs, and procedures. Documentation showing evidence of activities like risk assessments, due diligence, and monitoring must be maintained and available to auditors and regulators. Reporting on the status of third-party risks, issues, performance, and the health and safety of the third-party risk management program is also a best practice.
3. Finally, independent reviews help your program consistently improve. Independent auditors and third-party assessors should be treated as valuable assets that evaluate your program and provide feedback to ensure you're meeting best practices and regulatory guidance.

To conclude, following the third-party risk management lifecycle makes sure essential activities are completed in the right order and at the right time. It establishes a consistent approach to managing third-party relationships, laying the foundation for effective and efficient risk management, and it’s supported by oversight and accountability, documentation and reporting, and independent review, which are all essential to protect your organization and customers from third-party risks.

I hope you found this podcast insightful and thank you for tuning in; we’ll catch you next time!