Third-Party Risk Management Resources
Regardless of your industry, the third-party risk management lifecycle is a practical, risk-based framework to identify and mitigate issues that come from third-party relationships, while also explaining ongoing and offboarding activities. Use this lifecycle to optimize your third-party risk management program and resources, achieve regulatory compliance, and protect your organization and its customers from vendor risk.
Top 21
for Beginners
01
The Third-Party Risk
Management Lifecycle
Download Toolkit
Position
Description
02
Check out this free policy template that contains best practice policy content, descriptions, and processes your organization can use as the foundation to customize and align to your own third-party risk management framework.
Third-Party Risk Management Policy
Download Template
toolkit
template
03
Due diligence is not a static, one-time event. It should be refreshed periodically, risk-based, and tailored to match the product or service provided by a third party, along with the level of risk. We’ve put together a checklist with items you may want to gather based on if your vendor is classified as low, moderate, or high risk.
Due Diligence Checklist for Low, Moderate, and High-Risk Vendors
Download Checklist
04
Collecting vendor due diligence can feel extremely challenging. You feel like you’re constantly calling, emailing, and chasing your vendors to obtain the report you’ve needed for weeks. Then, once you’ve received the report, you realize the battle is only half over. You, or a subject matter expert (SME), must fully analyze and write a thorough assessment with your findings. In this eBook, we’ll break down how to do vendor due diligence reviews on 6 of the most common due diligence documents we see every day.
How to Do Vendor Due Diligence Reviews: The Complete Breakdown
Download eBook
05
Your critical vendors provide products or services your organization is highly dependent on. One of the most challenging exercises in third-party risk management is learning how to establish standards for identifying who those critical vendors are. Learn the questions you can ask to determine if a vendor is critical or non-critical.
Identifying Critical Vendors: 6 Fool-Proof Questions
Download Infographic
To verify your vendor has adequate internal controls in place to protect your data, you must request and assess their SOC reports. It can be confusing to understand what each SOC report covers and what each report means. To help guide you and your team in understanding what those differences are, we’ve created a simple one-page infographic.
Understanding the Differences Between a Vendor SOC 1, 2, 3
Download Infographic
Infographic
06
As part of your vendor due diligence process, and regardless of risk level, there are 19 things your organization should be doing when vetting all third parties. Don’t overlook these 19 items on any vendor with which you do business.
Vendor Vetting: 19 Things You Should Be Doing
08
10
During the ongoing stage of the third-party risk management lifecycle, it’s important to stay on top of upcoming vendor contract renewals. The contract renewal process is just as significant as the first time you signed the dotted line. This helpful checklist will assist you throughout the process.
Vendor Contract Renewals
12
Third-party risk management is a complex process that involves many rules, requirements, and processes, all of which must be formalized and documented. There are typically three governance documents: policy, program, and procedures. This eBook will explain what each document is intended to accomplish, what content it should contain, for whom it’s intended, as well as helpful tips.
Guide to Your Third-Party Risk Management Policy, Program, and Procedures
13
Data breaches have been on the rise lately. Hackers don’t discriminate when looking for an asset to attack. It’s not so much IF you’ll be breached, but WHEN. In this infographic, learn what a vendor data breach means to you and the next steps and best practices to implement to handle the breach so that it limits the impact to you and your customers.
My Vendor Has Suffered a Data Breach. Now What?
16
As part of your vendor management, you should be reviewing your vendor’s financial statements. But what happens if you see a decline in that vendor’s income and financial performance? To protect your organization there are some warning signs to look out for. We’ve put together an infographic to help you and your team be aware of what the consequences are and your steps for recourse.
Vendor Financial Health Monitoring: Warning Signs to Watch Out For
Having a limited number of resources can present challenges for your third-party risk management team. However, if your employees spend less time using ineffective, manual processes, they’ll have more time and capacity to manage third-party risk. Understanding how to maximize your resources will take some effort, but it’s a worthwhile goal to help your organization manage risk, regardless of limitations.
How to Maximize Your Third-Party Risk Management Resources
20
Where do you begin with the daunting task of designing, implementing, and managing a third-party risk management program? It’s not always clear what the process should entail or how it should be executed. This comprehensive eBook explains the foundational components of a third-party risk management framework to help you build or improve your program.
Framework for a Successful Third-Party Risk Management Program
21
Third-party risk management guidelines and regulations are no longer only issued by financial services regulatory agencies. Many other industries are seeing the value in managing risk and looking at it with more scrutiny, and it’s always recommended to look to one another and follow current third-party risk management best practices. This eBook contains helpful information and tips to comply with some of the third-party risk management guidance and regulations across different industries.
Third-Party Risk Management Guidance and Regulations
EBOOK
07
The time has come to prepare for an audit or regulatory exam. The process can be time-consuming and nerve-racking, even for experienced professionals. Sticking to a simple game plan will make an audit of any type much easier to manage. We’ve developed a handy checklist to help you ensure you’re prepared for your next audit or regulatory exam.
Third-Party Risk Management Audit or Regulatory Exam
09
Reviewing a SOC report is an important step in the vendor due diligence process. The report should tell you if your vendor has what’s needed to secure your data. We know that assessing vendor SOC reports can be challenging. This eBook guides you through the review process and how to mitigate risk.
How to Review a Vendor SOC Report
11
Your organization probably dedicates a lot of thought, time, and resources to its business continuity (BC) and disaster recovery (DR) planning and testing. Similarly, your third-party vendors should be just as committed to their plans and testing. How do you confirm that your vendors have effective business continuity and disaster recovery plans? This eBook covers the main sections that you should be searching for in each plan and what to know about each of them.
How to Analyze a Vendor’s Business Continuity and Disaster Recovery Plans
17
It’s not uncommon for vendor risk assessment terms to get mixed up or seem like the same thing. However, while all are important, there are differences to be aware of between questionnaires, risk assessments, due diligence, and continuous monitoring. These four activities will tell you the type and amount of risk associated with the vendor, the effectiveness of the vendor’s control environment, and whether the risk is changing. This infographic provides a breakdown.
The Differences Between Vendor Assessments, Questionnaires, Due Diligence, and Continuous Monitoring
15
Vendor relationships can end for many reasons. Your organization’s needs may have shifted and you’re looking for a different vendor that better aligns with your strategic goals or maybe your vendor is no longer meeting service level requirements. Whatever the reason for ending the relationship, you want to ensure you have an established offboarding process that minimizes any issues.
Offboarding a Vendor
19
14
18
Download eBook
Download eBook
Download Checklist
Download eBook
Download Checklist
Download eBook
Download Infographic
Download Infographic
Download eBook
Download Infographic
Download Toolkit
Download Infographic
Download eBook
EBOOK
checklist
checklist
EBOOK
checklist
ebook
infographic
ebook
Infographic
Infographic
ebook
Infographic
toolkit
Infographic
Download Now
Fill out the form below to access the 21 Third-Party Risk Management Resources for Beginners.
Download PDF Version
02
Check out this free policy template that contains best practice policy content, descriptions, and processes your organization can use as the foundation to customize and align to your own third-party risk management framework.
Third-Party Risk Management Policy Template
template
03
Due diligence is not a static, one-time event. It should be refreshed periodically, risk-based, and tailored to match the product or service provided by a third party, along with the level of risk. We’ve put together a checklist with items you may want to gather based on if your vendor is classified as low, moderate, or high risk.
Due Diligence Checklist for Low, Moderate, and High-Risk Vendors
Download Checklist
checklist
04
Collecting vendor due diligence can feel extremely challenging. You feel like you’re constantly calling, emailing, and chasing your vendors to obtain the report you’ve needed for weeks. Then, once you’ve received the report, you realize the battle is only half over. You, or a subject matter expert (SME), must fully analyze and write a thorough assessment with your findings. In this eBook, we’ll break down how to do vendor due diligence reviews on 6 of the most common due diligence documents we see every day.
How to Do Vendor Due Diligence Reviews: The Complete Breakdown
ebook
05
Your critical vendors provide products or services your organization is highly dependent on. One of the most challenging exercises in third-party risk management is learning how to establish standards for identifying who those critical vendors are. Learn the questions you can ask to determine if a vendor is critical or non-critical.
Identifying Critical Vendors: 6 Fool-Proof Questions
Download Infographic
infographic
06
To verify your vendor has adequate internal controls in place to protect your data, you must request and assess their SOC reports. It can be confusing to understand what each SOC report covers and what each report means. To help guide you and your team in understanding what those differences are, we’ve created a simple one-page infographic.
Understanding the Differences Between a Vendor SOC 1, 2, 3
Download Template
infographic
07
Third-party risk management guidelines and regulations are no longer only issued by financial services regulatory agencies. Many other industries are seeing the value in managing risk and looking at it with more scrutiny, and it’s always recommended to look to one another and follow current third-party risk management best practices. This eBook contains helpful information and tips to comply with some of the third-party risk management guidance and regulations across different industries.
Third-Party Risk Management Guidance and Regulations
Download eBook
ebook
08
As part of your vendor due diligence process, and regardless of risk level, there are 19 things your organization should be doing when vetting all third parties. Don’t overlook these 19 items on any vendor with which you do business.
Vendor Vetting: 19 Things You Should Be Doing
Download eBook
ebook
09
The time has come to prepare for an audit or regulatory exam. The process can be time-consuming and nerve-racking, even for experienced professionals. Sticking to a simple game plan will make an audit of any type much easier to manage. We’ve developed a handy checklist to help you ensure you’re prepared for your next audit or regulatory exam.
Third-Party Risk Management Audit or Regulatory Exam
Download Checklist
checklist
14
In order to fully understand vendor risk, you need to closely examine cybersecurity protocols. Asking the right questions and obtaining proper documentation will help you more accurately assess the risk posed to your organization. To help ensure you gather the information you need when analyzing your vendor’s cybersecurity, use this handy checklist.
Vendor Cybersecurity
checklist
11
Reviewing a SOC report is an important step in the vendor due diligence process. The report should tell you if your vendor has what’s needed to secure your data. We know that assessing vendor SOC reports can be challenging. This eBook guides you through the review process and how to mitigate risk.
How to Review a Vendor SOC Report
Download eBook
ebook
12
During the ongoing stage of the third-party risk management lifecycle, it's important to stay on top of upcoming vendor contract renewals. The contract renewal process is just as significant as the first time you signed the dotted line. This helpful checklist will assist you throughout the process.
Vendor Contract Renewals
Download Checklist
checklist
10
A primary pain point organizations are currently facing in third-party risk management is the document collection process. While it may be a time-consuming process, it’s crucial that you handle each step thoroughly. That’s why we’ve put together this infographic with 10 tips to help you collect vendor due diligence documents more efficiently.
10 Tips for Collecting Vendor Due Diligence
Documents
Download Infographic
infographic
13
Third-party risk management is a complex process that involves many rules, requirements, and processes, all of which must be formalized and documented. There are typically three governance documents: policy, program, and procedures. This eBook will explain what each document is intended to accomplish, what content it should contain, for whom it’s intended, as well as helpful tips.
Guide to Your Third-Party Risk Management Policy, Program, and Procedures
ebook
15
It’s not uncommon for vendor risk assessment terms to get mixed up or seem like the same thing. However, while all are important, there are differences to be aware of between questionnaires, risk assessments, due diligence, and continuous monitoring. These four activities will tell you the type and amount of risk associated with the vendor, the effectiveness of the vendor’s control environment, and whether the risk is changing. This infographic provides a breakdown.
The Differences Between Vendor Assessments, Questionnaires, Due Diligence, and Continuous Monitoring
Download Infographic
infographic
16
Data breaches have been on the rise lately. Hackers don’t discriminate when looking for an asset to attack. It’s not so much IF you’ll be breached, but WHEN. In this infographic, learn what a vendor data breach means to you and the next steps and best practices to implement to handle the breach so that it limits the impact to you and your customers.
My Vendor Has Suffered a Data Breach. Now What?
Download Infographic
infographic
17
Your organization probably dedicates a lot of thought, time, and resources to its business continuity (BC) and disaster recovery (DR) planning and testing. Similarly, your third-party vendors should be just as committed to their plans and testing. How do you confirm that your vendors have effective business continuity and disaster recovery plans? This eBook covers the main sections that you should be searching for in each plan and what to know about each of them.
How to Analyze a Vendor’s Business Continuity and Disaster Recovery Plans
Download eBook
ebook
18
As part of your vendor management, you should be reviewing your vendor’s financial statements. But what happens if you see a decline in that vendor’s income and financial performance? To protect your organization there are some warning signs to look out for. We’ve put together an infographic to help you and your team be aware of what the consequences are and your steps for recourse.
Vendor Financial Health Monitoring: Warning Signs to Watch Out For
Download Infographic
infographic
19
Vendor relationships can end for many reasons. Your organization’s needs may have shifted and you’re looking for a different vendor that better aligns with your strategic goals or maybe your vendor is no longer meeting service level requirements. Whatever the reason for ending the relationship, you want to ensure you have an established offboarding process that minimizes any issues.
Offboarding a Vendor
Download Toolkit
toolkit
20
Having a limited number of resources can present challenges for your third-party risk management team. However, if your employees spend less time using ineffective, manual processes, they’ll have more time and capacity to manage third-party risk. Understanding how to maximize your resources will take some effort, but it’s a worthwhile goal to help your organization manage risk, regardless of limitations.
How to Maximize Your Third-Party Risk Management Resources
ebook
21
Where do you begin with the daunting task of designing, implementing, and managing a third-party risk management program? It’s not always clear what the process should entail or how it should be executed. This comprehensive eBook explains the foundational components of a third-party risk management framework to help you build or improve your program.
Framework for a Successful Third-Party Risk Management Program
Download eBook
ebook
Download Template
Download eBook
Download Infographic
Download Checklist
Download eBook
Download Infographic
A primary pain point organizations are currently facing in third-party risk management is the document collection process. While it may be a time-consuming process, it’s crucial that you handle each step thoroughly. That’s why we’ve put together this infographic with 10 tips to help you collect vendor due diligence documents more efficiently.
10 Tips for Collecting Vendor Due Diligence Documents
Download Infographic
infographic
In order to fully understand vendor risk, you need to closely examine cybersecurity protocols. Asking the right questions and obtaining proper documentation will help you more accurately assess the risk posed to your organization. To help ensure you gather the information you need when analyzing your vendor’s cybersecurity, use this handy checklist.
Vendor Cybersecurity
Download Checklist
checklist
EBOOK