Supporting Elements
FOUNDATION
Download eBook
and Infographic
There are peripheral activities that help guide, manage and integrate the lifecycle.
Determining oversight and accountability roles and requirements is generally done by a board of directors or executive leadership team and communicated through official, governing documents.
Oversight & Accountability
It’s important to create third-party risk management governance documents.
A policy, program and procedures are common governance documents used to assist in communicating third-party risk management roles and responsibilities throughout an organization.
Documentation & Reporting
Think of independent audit and third-party assessors as assets – ones that can keep you honest, help ensure your program meets regulatory guidance and tests you to make sure you can prove that you’re doing what you should, at any given time.
Independent Reviews
Next
Go There
Learn about Scoping
Foundation
Scoping
Stage 1
Stage 2
Stage 3
Stage 4
Termination
Overview
Download Toolkit
Learn the steps of the lifecycle to protect your organization from vendor risks. Within this toolkit, you will receive:
• eBook
• Infographic
• PowerPoint Template
• Printable 1-Page PDF
Download Free Toolkit
Download eBook
and Infographic
Scoping
Scope for what does and doesn’t need to go through this lifecycle process.
Scoping is defining what a vendor, service provider or third party is to your organization. Customers, clients and potentially certain partner types should generally be excluded from this process.
What is it?
A good best practice would be to establish a repeatable process to help verify all the appropriate relationships make it to the lifecycle by reporting the new relationship to the folks that manage it.
This could be anything from sending an email to submitting a ticket to let risk managers know there is a potential new vendor being considered. Ideally, this would be the time when third-party risk professionals make a
determination on whether the engagement falls in scope for further vetting.
Inherent Risk & Criticality Assessment
Learn about the first stage:
Foundation
Scoping
Stage 1
Stage 2
Stage 3
Stage 4
Termination
Overview
Download Toolkit
Learn the steps of the lifecycle to protect your organization from vendor risks. Within this toolkit, you will receive:
• eBook
• Infographic
• PowerPoint Template
• Printable 1-Page PDF
Download Free Toolkit
What you'll learn
What each stage is
What to know for each stage
Behind the scenes tasks you need to complete throughout the lifecycle
Download eBook
and Infographic
Inherent Risk & Criticality Assessment
STAGE 1
Helps determine the highest amount of risk that the engagement could potentially pose your organization .
Determining the inherent risk and criticality is an imperative first step of a vendor engagement as it paves the way for appropriate and risk-based due diligence.
Inherent risk is the assessment of risk, based solely on the nature of the relationship – without consideration to any precautions or controls that are in place. This is often rated by a tiered system, typically on a scale of low, moderate and high risk.
Criticality is a determination of the business impact an engagement may have or whether or not a particular service would be critical to your internal operations. This is typically classified as a critical or non-critical vendor.
What is it?
A good best practice would be to establish a repeatable process for verifying all the appropriate vendors who should be in scope and go through the lifecycle actually do.
To do this, ensure there's a method or process in place that sends reports related to those vendors to the folks that manage them so that they're aware.
Example
Due Diligence & Residual Risk Determination
Foundation
Scoping
Stage 1
Stage 2
Stage 3
Stage 4
Termination
Overview
Download Toolkit
Learn the steps of the lifecycle to protect your organization from vendor risks. Within this toolkit, you will receive:
• eBook
• Infographic
• PowerPoint Template
• Printable 1-Page PDF
Download Free Toolkit
Learn about the
second stage:
What you'll learn
What each stage is
What to know for each stage
Behind the scenes tasks you need to complete throughout the lifecycle
Download eBook
and Infographic
Now that you understand the inherent risk, as well as how critical that service might be, you can determine the best way to ensure that risk is mitigated appropriately and effectively. To do this, conduct due diligence.
Conducting due diligence is another way of saying make sure to do your homework. Know what you’re getting yourself into.
Do some research before drawing lines between your organization and another. The process for doing this is essentially done by collecting and validating information from and about the vendor, then taking into account controls that mitigate, or reduce, the inherent risk.
What is it?
Due Diligence
& Residual Risk Determination
STAGE 2
Determine the best way to ensure the inherent risk is mitigated appropriately and effectively.
Vendor Selection & Contract Management
Foundation
Scoping
Stage 1
Stage 2
Stage 3
Stage 4
Termination
Overview
Download Toolkit
Learn the steps of the lifecycle to protect your organization from vendor risks. Within this toolkit, you will receive:
• eBook
• Infographic
• PowerPoint Template
• Printable 1-Page PDF
Download Free Toolkit
Learn about the
third stage:
What you'll learn
What each stage is
What to know for each stage
Behind the scenes tasks you need to complete throughout the lifecycle
Download eBook
and Infographic
Vendor Selection
& Contract Management
STAGE 3
Administration of written agreements with third parties that provide your organization with products or services.
Now that you’ve completed a risk assessment by identifying both the inherent and residual risk levels, and if the relationship’s residual risk is acceptable, it’s time to consider the contract.
For new engagements, you can wisely determine which vendor you want to move forward with, and for existing vendors, you can use the risk assessment and due diligence data to determine if any provisions should be made in the next contract review. And, ensure to keep track of important contract term dates and SLAs along the way.
What is it?
Ongoing Monitoring
Foundation
Scoping
Stage 1
Stage 2
Stage 3
Stage 4
Termination
Overview
Download Toolkit
Learn the steps of the lifecycle to protect your organization from vendor risks. Within this toolkit, you will receive:
• eBook
• Infographic
• PowerPoint Template
• Printable 1-Page PDF
Download Free Toolkit
Learn about the
fourth stage:
What you'll learn
What each stage is
What to know for each stage
Behind the scenes tasks you need to complete throughout the lifecycle
Download eBook
and Infographic
Ongoing Monitoring
STAGE 4
It’s important to keep an eye on your vendors after you sign a contract to ensure you’re remaining aware of any new risk posed.
Now that the risk assessment, due diligence and contract execution are complete, the ongoing monitoring stage begins. This is extremely important to do. It’s important to keep an eye on your vendors after you sign a contract to ensure you’re remaining aware of any new risk posed.
Ongoing monitoring includes:
• SLA tracking and monitoring
• Staying abreast of any issues or changes
• Periodic risk assessments
What is it?
Foundation
Scoping
Stage 1
Stage 2
Stage 3
Stage 4
Termination
Overview
Download Toolkit
Learn the steps of the lifecycle to protect your organization from vendor risks. Within this toolkit, you will receive:
• eBook
• Infographic
• PowerPoint Template
• Printable 1-Page PDF
Download Free Toolkit
Go There
Learn about Termination
Finally, there comes a time when an engagement must come to an end. Be it because of a vendor’s failure to perform, a contract term is up or you just need to move on to bigger and better things; there should always be some consideration into how the termination processes may look for any particular vendor.
Follow your exit strategy and be sure you’re terminating the relationship in accordance with contracted terms.
What is it?
Termination
Finally, there comes a time where an engagement must come to an end.
Download Now
Download the Toolkit
Foundation
Scoping
Stage 1
Stage 2
Stage 3
Stage 4
Termination
Overview
Download Toolkit
Learn the steps of the lifecycle to protect your organization from vendor risks. Within this toolkit, you will receive:
• eBook
• Infographic
• PowerPoint Template
• Printable 1-Page PDF
Download Free Toolkit
Interactive Guide to Third-Party Risk Management Lifecycle
Learn the steps of the lifecycle to protect your organization from vendor risks.
Third Party Risk Management Program Toolkit
Outer Layers
Learn about Oversight & Accountability, Documentation & Reporting and Independent Reviews
Scoping
A great way to ensure you’re getting the most out of
your (probably limited) third-party risk
management resources is having a clearly defined
scope for what does and doesn't need to go through
this process.
Lifecycle stages
Stage 1: Inherent Risk & Criticality Assessment
Stage 2: Due Diligence & Residual Risk Determination
Stage 3: Vendor Selection & Contract Management
Stage 4: Ongoing Monitoring
Termination
Finally, there comes a time when an engagement must
come to an end. Be it because of a vendor’s failure to
perform, a contract term is up or you just need to
move on to bigger and better things; there should
always be some consideration into how the
termination processes may look for any particular
vendor.
5 Best Practices to Consider During the Entire
Third-Party Risk Management Lifecycle
When done well, the third-party risk management lifecycle keeps your
organization on track and protected from vendor risk that can be avoided.
