How to Manage Third-Party Risk

Video Transcript

Your organization relies on a vast network of third-party vendors to help your operations run more effectively. But working with these third parties can pose risks and consequences. Think operational disruptions, reputational damage, and increased exposure to data breaches and cyberattacks. 

 It's essential to manage third party risks to protect your organization and its customers. While you can't eliminate all the risks, you can reduce them by following the steps of the third-party risk management lifecycle, which has three stages: onboarding, ongoing, and offboarding. 

Onboarding is the first stage in the lifecycle, and it contains 3 main activities: 

• First, plan for the relationship, including how you may need to exit it. You should complete an inherent risk assessment to determine if the vendor's product or service will be critical to your operations, as well as the types and amounts of risks that will need to be managed.  
• Next, perform due diligence on your third-party vendor. Due diligence gives better insight into the vendor's risk management activities and control environment. 
• The final onboarding step is drafting and negotiating the contract. This is one of the most important tools to manage third party risk. 

Ongoing is the second stage. It identifies new and emerging third party risks. Your vendors’ risk and performance can change after you sign the contract, so your third-party risk management program should always include ongoing activities. 

• Periodic risk re-assessments should be done at least annually for critical and high-risk vendors. Non-critical vendors with moderate risk can be re-assessed every 18 to 24 months. Low-risk vendors can be re-assessed every three years or at contract renewal. 
• The next part of the ongoing stage is risk and performance monitoring. This keeps you informed of any issues that may need to be addressed. For example, a significant decline in the vendor's performance may require you to follow through with your predetermined exit strategy. Or, through risk monitoring, your organization discovered a vendor has negative news about ongoing litigation. 
• The third step of the ongoing stage is contract renewals. Contract renewals should be planned well in advance to give you enough time to negotiate any changes or even decide against renewal. 
• Periodic due diligence reviews help confirm you have the most current documentation on file and verifies that the vendors control environment is still sufficient to mitigate risks. These reviews can be scheduled alongside the risk re-assessments but be aware of any documents that have expiration dates. You should always request things like insurance certificates and SOC reports whenever they expire, rather than waiting for the next scheduled review. 

Offboarding is the final stage in the lifecycle, which occurs whenever you decide to end the vendor relationship. This could be due to the contract term expiring or early termination due to unplanned circumstances. 

• The first step is termination, where you notify the vendor about ending the contract early or your decision not to renew. 
• Once you notify the vendor, you can move on to the exit plan execution. This involves following your exit strategy, which might be switching to a new vendor, bringing the outsourced activity in-house, or discontinuing the activity altogether. 
• The final step in off boarding is to perform third-party risk management closure. Whenever a vendor relationship ends, there are often a few administrative tasks that must be completed, such as paying final invoices and updating the vendor's status in all your systems. 

There you have it, a comprehensive strategy for managing third-party risks. Through the third-party risk management lifecycle, any organization, regardless of size or industry, can follow these steps and be confident their vendor relationships are safe and sound.