9 Steps to Creating an Effective Third-Party Risk Management Program

Video Transcript

Hi – I’m John with Venminder. In this 90-second video, you are going to learn 9 steps to creating an effective third-party risk management program.

We recommend and have seen these steps carried out by our clients and across the industry.

Let’s dive right in.

1. Setting Expectations

Step one. Ensure everyone is on the same page by setting your organization’s initial expectations on how third parties will be managed. Decide if your program framework will be centralized, decentralized or hybrid. 

2. Define Lines of Defense

Step two is to take the time to understand and define the lines of defense. Make sure each line knows their role.

3. Develop Policy, Program and Procedures Documentation

Step three. Create concrete policy, program and procedures documentation. These will serve as reference points for all lines of defense on how they should manage third parties. 

4. Contract Management

Step four – you need to have a strong contract management program that ensures your contracts are not going to hinder your ability to truly manage your vendors.

5. Initial Due Diligence

Step five. Implement due diligence practices like vendor vetting BEFORE you sign a contract.

6. Risk Assessments

Step six. Assess each of your vendors’ level of risk to your organization. 

7. Ongoing Due Diligence

Step seven. Maintain your due diligence AFTER you sign the contract on an ongoing basis depending on their level of risk to you.

8. Analyze Due Diligence

Step eight. Don’t just gather due diligence, ensure to thoroughly analyze your vendor documentation to identify issues and risks.

9. Reportable and Actionable

And finally, step nine. Ensure you have processes in place to report vendor issues at your organization and how you will work with your vendor to address them.

Remember that done well a third party risk management program can help your organization better understand it’s risk and take steps to mitigate that risk.

See you next time.