THIRD-PARTY RISK

MANAGEMENT BEST
PRACTICES
Expert Advice for an Effective & Efficient Program

EXPERT GUIDE
CONTENTS
03 Introduction

06 Program Building Blocks: Onboarding & Ongoing Monitoring

10 Inherent Risk Best Practices

15 Residual Risk and Review Cadences

17 Getting Outside Help: External Content and Managed Services

19 Assessing Your Program’s Maturity and Identifying Steps to Improve

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 2

1. INTRODUCTION

ProcessUnity specializes in helping its clients automate their Third-Party Risk Management (TPRM) programs. Through
the years, we have helped hundreds of customers implement efficient and effective processes that drive risk out of
their businesses. Our team developed this guide to showcase a number of the best practices we see in modern TPRM
programs. Our hope is that you find a few “nuggets of wisdom” that you can take back to your company, program
and team and continue to mature your TPRM processes.

In the following pages, this document will:

Define the building blocks of TPRM programs – Outline how to augment your team with external
both pre- and post-contract expert content and managed services

Examine the importance of inherent risk calculations Help you rate your program’s maturity and
provide next steps for improvement
Demonstrate how residual risk helps determine
ongoing review cadences

Getting Grounded: Third-Party Risk Management Defined

Before we get into the meat of this guide, let’s take a minute to get on the same page regarding TPRM.

Most companies have some semblance of Governance, Risk and Compliance (GRC) management in place today.
Governance is all about setting goals and objectives for the organizations and setting the tone from the executive
team and board of directors.

Policy & Procedure

Policies & Procedures Management

Compliance
Controls Financial IT Operational Management
Policies & Procedures

Brand & Reputation Business Continuity

Third-Party Risk Controls Financial IT Operational
Information Security Sales & Ethics Management
Brand & Reputation Business Continuity
Legal & Litigation Personnel Risk Information Security Sales & Ethics
Financial Security & Privacy Management Legal & Litigation Personnel

Risks Health & Safety Product Quality Financial Security & Privacy

Risks Health & Safety Product Quality

YOUR ORGANIZATION THIRD-PARTY ORGANIZATION

Figure 1.1 – Third-Party Risk Management

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 3

Risk Management examines what could go wrong
and potentially prevent the organization from
achieving its goals. Wherever possible, companies “People don’t do what you expect
put controls in place to mitigate those risks to protect
against negative outcomes. but what you inspect.”
Compliance is all about following the rules – whether
they be laws, regulations, standards or operating
- Louis V. Gerstner, Jr.
guidelines outlined by government or industry
regulators. Companies establish policies and procedures
to ensure that employees follow proper steps for
everyday business operations. Ultimately, your company will be held accountable
These days, organizations work with many outside for the missteps or failures of your business partners,
vendors, third parties and suppliers. It’s important to and the responsibility to ensure your third parties are
make sure that any outside business partner has its act conducting business responsibly is yours.
together in terms of governance, risk and compliance. Monitoring and inspecting your third parties is
If they don’t, their actions (or lack thereof) could come increasingly important to good corporate governance.
back to bite you. Third-Party Risk Management is putting
a spotlight on the policies, procedures, risks and controls
The Third-Party Risk Lifecycle
of the outside companies you work with.
There are three primary components required to launch
It’s important for third parties to be just as buttoned
a successful program:
up and conscientious as your organization is. A history
of effective collaboration and strong relationships isn’t 1. Onboarding
enough. Companies need to examine the businesses of
2. Due diligence
their partners to ensure those vendors are doing things
as they should. Trust, but verify. 3. Ongoing monitoring

Due Ongoing On-Site Control Performance Contract SLA Issue

Onboarding Diligence Monitoring Assessment Reviews Reviews Monitoring Management
Establish an Enforce Streamline Systematically Manage with Create a unified Document, Formally track
enterprise-wide objectivity processes conduct consistency process monitor vendor issues
process within your while reducing and document and record
vendor process errors

Figure 1.2 – The Third-Party Risk Management Lifecycle

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 4

Most organizations struggle with the administration TPRM Challenges Organizations Face Today
heavy burdens associated with initial onboarding and
Companies face myriad challenges today related to
due diligence that happens pre-contract, and with
TPRM. A few of them include:
ongoing monitoring that happens post-contract.
• Tiering Vendors: Which vendors are the most critical?
The cumbersome administrative tasks associated with
The riskiest?
these key steps bogs many companies down, especially
companies with smaller risk management teams. • Engaging the Business: How can you involve
lines-of-business, executives and board members in
Teams that overcome the challenges of these initial
TPRM processes?
lifecycle steps can expand their program and potentially
transform their organization’s TPRM efforts from a cost • Storage: What’s the best way to organize and store
center into an ROI center where: the data required to properly vet your vendors?
• Underperforming vendors can be weeded out and • Depth: Where do you draw the line?
swapped for higher performing partners; Fourth parties? Fifth?
• More favorable contracts can be negotiated to It’s not going to get easier:
improve service and lower costs; and,
• Companies work with more third- and fourth-party
• SLA violations can be easily identified, penalties vendors than ever before.
collected, and that information can be used in
• Hackers and malicious actors keep inventing new
future negotiations.
ways to harm businesses.
When the onboarding, due diligence and ongoing
• New regulations keep popping up – and existing
monitoring building blocks are complete, teams can
ones continue to evolve.
easily transition into more mature activities that generate
real value and make their program shine. • Vendors are buckling from the sheer volume of due
diligence requests.

The bottom line: Organizations need to pay a great

deal of attention to third-party risk, and they need to
implement a program that reduces inefficiencies to drive
out as much risk a possible. In the next section, we’ll
introduce foundational building blocks to a world-class
TPRM program.

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 5

 PROGRAM BUILDING BLOCKS:
2. ONBOARDING & ONGOING MONITORING

When building or up-leveling a TPRM program, it’s Throughout pre- and post-contract work, there will
important to recognize that work happens both before be issues that arise. TPRM teams need capabilities to
and after signing a contract. identify, track and remediate those issues appropriately.
• The pre-contract onboarding process: usually An important note: The base process flows described
consisting of an inherent risk assessment and initial in the coming pages will vary from organization to
due diligence review – is designed to keep as much organization based on company size, the maturity of the
risk out from the start. program, industry and more. There is no “one-size-fits-all
approach,” and TPRM teams should adapt these models
• Post-contract processes: ongoing monitoring and
to fit their specific business requirements.
service reviews – are put in place to make sure
nothing has changed with vendors over time and to
check that vendors are delivering their services in
accordance with expectations.

Onboarding Workflow Ongoing Monitoring Workflow

INHERENT RISK DUE DILIGENCE DUE DILIGENCE SERVICE

ASSESSMENT ASSESSMENT ASSESSMENT REVIEW

ISSUE MANAGEMENT & REMEDIATION

Pre-Contract Post-Contract

Figure 2.1 – Pre- and post-contract TPRM process flows

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 6

Vendor Onboarding Workflow 2. Third-Party Manager: The person or team that vets
the vendors, responsible for keeping as much risk out of
There are three primary actors in the vendor
the organization as possible
onboarding workflow:
3. Third-Party Contact: The vendors’ representative(s)
1. Line-of-Business (LOB) User: A member of the
that respond(s) to due diligence and assessment
organization (HR, finance, legal, etc.) who needs to
requests throughout the process
onboard a new vendor

Line of Request
Business 1. Request Denied
Third-Party Service

Follow Up
No
No Low Critical / High / No
Yes Medium Follow Up Yes

Third-Party Advance
Inherent Request
Risk
Manager 2. Review Request?
Level 3. Send 5. Analyze 6. Create 7. Close 8. Agreement Approved
Third-Party Assessment Assessment Related Issues Assessment in Review
Service Request

Third-Parrty
Contact 4. Assessment
Response

Figure 2.2 – The vendor onboarding workflow

The onboarding workflow triggers when the a. Not all vendors will have to go through the entire
organization needs to contract with a new vendor. process. The inherent risk some vendors pose may be
Here’s how the process works: determined to be low. Lower-risk vendors may not have
to respond to due diligence questionnaires.
1. A new office is opening in the EU, and there is a
need for a payroll provider who can pay the employees b. More risky vendors will need to go through a deeper
internationally. [Step 1] A payroll or HR person assessment process.
(LOB user) initiates a request to the third-party risk
4. The completed assessment is received and analyzed
management team.
[Step 5], issues are then created [Step 6], and the
2. [Step 2] The third-party manager works with the LOB assessment is closed [Step 7].
user to determine how much risk there is in working
5. Ideally everything is good, the request is approved, and
with the vendor (inherent risk assessment) and checks
contracts and agreements are executed [Step 8].
to see if a similar service or vendor is already under
contract (to avoid duplication). The details of the onboarding workflow process will vary
among companies based on each individual company’s risk
3. Based on the initial inherent risk rating, an
profile. Some companies may have additional steps that
assessment questionnaire [Step 3] is sent to the vendor
include routing specific assessment responses to subject
requesting it provide more in-depth information [Step
matter experts (SMEs) for cybersecurity or to a financial
4] for the organization to analyze and evaluate.
specialist to determine that a vendor’s financial viability is
acceptable. Different paths exist for different organizations.

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 7

Ongoing Monitoring Workflow: Periodic Due Diligence
Following the signing of contracts, the due diligence process repeats periodically to make sure the vendor continues
to operate within acceptable risk levels. The ongoing monitoring flow is a subset of the onboarding process minus
the interaction with LOB user and contract signatures. The duration of time between assessments varies greatly for
different third parties depending on business type, risk profile and how risky vendors are. (We’ll discuss how residual
risk can determine ongoing review cadences later in this guide.)

Line of
Businesss

Follow Up

ty
Third-Party
Managerr 1. Send 3. Analyze 4. Create Related 5. Close
Assessment Assessment Issues Assessment

ty
Third-Party
Contactt 2. Assessment
Response

Figure 2.3 – The ongoing monitoring process flow

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 8

Vendor Service Reviews
Performed periodically, vendor service reviews help organizations determine if third parties are performing as
expected. Sometimes service reviews reveal opportunities to renegotiate contracts or switch to vendors that are a
better organizational fit. This process is a two-way conversation between the third-party manager and the team or
department consuming the vendor service.

Line of
Business 2. Complete
Service Review

Third-Party
Manager 1. Send Service
Review

Third-Party
Contact

Figure 2.4 – The vendor service review workflow

Issue Management and Remediation

Interaction between an organization’s team and vendors provides opportunities to flag existing and latent issues, revisit
them during reviews and contract negotiations, and use them to help put things into future contracts and service level
agreements (SLAs) that will help protect the organization.

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 9

 INHERENT RISK
3. BEST PRACTICES
Determining a vendor’s inherent risk level is a critical Build Your Inherent Risk Questionnaire:
step in determining how much initial due diligence is
Based on the type of business they’re in, organizations
required during initial onboarding and how often periodic
should craft a set of questions using these risk domains
assessments are performed for ongoing monitoring.
that will ultimately help calculate vendors’ risk level.
Riskier vendors should get more attention and inherent risk
Here’s a sample of ten common questions third-party
calculations determine who warrants that extra attention.
managers can ask their LOB users:

Risk Domains Help Define Inherent 1. What is the expected annual contract amount?
Risk Questions (Risk domains: financial, business continuity)

Typically, inherent risk is determined via communication 2. Is the third-party service performed domestically
between the LOB user requesting a vendor service and (Risk domain: geographic)
the third-party manager. There is usually some sort of
3. Is the service essential to the operations of the
short questionnaire or form completed by the requestor.
company? (Risk domain: business continuity)
There are nine risk domains TPRM teams can look at to
determine the right mix of inherent risk questions for 4. How difficult would it be to replace this service?
their company: (Risk domain: business continuity)

• Identity: Is this vendor who it says it is? 5. What is the expected annual volume of records that
Is it a real company? will be accessed, processed, stored, or transmitted by
this third party? (Risk domain: information security)
• Information security: Is the vendor handling
sensitive information/data? 6. Is any part of the third-party service being provided
subject to any regulatory and/or compliance
• Geographic: Where is the vendor located?
requirements? (Risk domain: compliance)
Could its location lead to a supply chain disruption?
7. Does this third-party store, process, or transmit
• Financial: Is the vendor paying its bills?
personally identifiable information (PII) or protected
Will it continue to be in business in a year?
health information (PHI) as part of this service?
• Business Continuity: Does vendor have a plan in (Risk domain: information security)
place in case something goes wrong?
8. Is the service delivered as a cloud-based solution?
• Fourth Party: Is the vendor working with fourth (Risk domain: information security)
parties? What risk do its fourth parties present?
9. Does this third party have access to our IT
• Reputation: Is there negative news about the vendor network or technical infrastructure?
that may cause reputational and brand damage by (Risk domain: information security)
associating with them?
10. Does the third party outsource any part of the
• Compliance: Is the vendor in compliance with rules service? (Risk domains: information security, geographic)
and regulations?
• Conflict of interest: Are there any personal conflicts
of interest with vendor personnel? Does the business
have Unidenfied Beneficial Owners to consider?

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 10

Define Your Risk Tiers But things get trickier with the other nine questions.
Many organizations establish structures where the
The questions asked and answers obtained will
combination of answers in conjunction with each
ultimately result in an inherent risk score. That score
other lead to tier designations. Establishing a system
should fit into a category or tier. Tiering systems across
like this can take a lot of time in online meetings and
organizations will vary based on the unique identity of
conference rooms – it’s important to take the time to get
each organization. Examples of common inherent risk
it right because inherent risk plays a big role throughout
tiering systems include:
your program.

So, the answer to one question may mean an automatic

LOW MED I U M HIGH
Critical designation, and answers to a number of other
LOW MED I U M HIGH CRITICAL questions in conjunction with each other may also add
up to Critical designation.
D C B A
To explore this a bit further. If the answer to Question
1 2 3 4 5 6 7 8 9 10
3, “Is the service essential to the operations of the
company?” is yes, it is assigned 12 points, and reaches
Figure 3.1 – Risk tier examples the Critical threshold. A vendor would also be deemed
critical if the answers to six different questions each
generate 2 points.
Build a Scoring System
Once a risk tier system is determined (we’ll use Low,
Medium, High and Critical for our purposes), work needs
to be done to assign points to the risk domain questions
so that vendors can be scored and designated into
appropriate risk tiers.

When reviewing the ten sample questions outlined

previously, Question 3 jumps out as the most important.

Question 3: Is the service essential to the

operations of the company?
Clearly, if the answer to this is yes, the vendor should be
placed in the Critical inherent risk tier.

Figure 3.2 – Assigning point values to inherent risk questions

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 11

In this example, the scoring system is clearly and logically structured, and was designed with the organization’s
specific needs and considerations at the forefront during development.

RISK CLASSIFICATION VALUES

Low: 0-5 Medium: 6-7 High: 8-11 Critical: 12+

Intake Questions Point Values

Service is essential to company operations 12

Annual contract amount >$500,000 6

A part of the service is performed internationally 2

Difficult to replace service with alternative 2

High annual record volume 2

Service is subject to regulatory requirements 2

Third party has access to PII or PHI 2

Service is delivered as a cloud-based solution 2

Third party has access to our technical infrastructure 2

Third party outsources a portion of the service 2

Figure 3.3 – Building an inherent risk scoring system

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 12

Before deploying the scoring system, it’s important to check the math against a sampling of your vendor population.

Figure 3.4 – Testing an inherent risk scoring system

Testing is a key part of the scoring system development The system was designed and successfully tested, and
process, and answers the question, “Does this make now the low, medium, high, and critical designations
sense for us?” can be used to scope the amount of due diligence for
vendors—the due diligence depth the company does
In test scenarios, a major bank, a records shredder and with each vendor.
a landscaping contractor are all scored. The company’s
bank is essential to operations and therefore deemed a
LOW MEDIUM HIGH CRITICAL
Critical vendor. The answers to the remaining questions 0-5 6-7 8 - 11 12 +
aren’t even needed.
No Further Light Due Medium Due Intensive Due
The records shredder is a little different. It’s not essential, Due Diligence Diligence Diligence Diligence
Required Required Required Required
not a big contract, and performed domestically.
However, the vendor is difficult to replace, it will touch
Figure 3.5 – Use inherent risk scores to auto-scope
a high volume of records, have personal identifiable due diligence
information to shred, and there will be regulatory issues
to consider. All of these answers lead to 8 points, which
For a low risk vendor, no due diligence is required; the
leads to a High-risk designation.
contract is signed, and business engaged.
At the other end of the spectrum is the company
As the organization engages with medium, high, and
responsible for snow plowing in the winter and facility
critical risk vendors more time will be spent on and a
landscaping during warmer months. The only points they
deeper intensity will be part of the assessments.
scored were earned because they outsource to a vendor
that plants flowers in the spring. The vendor is not a risk
to the company and designated in the Low risk tier.

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 13

Learn More About Inherent Risk
For a deeper dive into inherent risk best practices, download ProcessUnity’s
guide, How to Quantify and Manage Inherent Risk for Third Parties.
Click Here

QUESTIONNAIRES
There have been interesting changes to assessment Self-scoping questionnaires followed the small,
questionnaires over the past few years. medium, large approach. These questionnaires scoped
automatically based the risk tiers or changed on the fly
In the early days of TPRM, companies would have a
based on vendors’ answers to questions. These smart
single assessment for all vendors – a one-size-fits-all
questionnaires can show or hide questions or sections
approach. The questionnaires were long and used to
of questions based on inherent risk tier and answers
assess all vendors regardless of the risk they posed. It
to previous questions. Self-scoping questionnaires
was overkill for low-risk and small vendors; it was not
help minimize the number of questions that need to
enough for critical vendors.
be answered by the vendor and analyzed by the TPRM
Because the one size fits all approach did not work well, team.
companies evolved to have multiple questionnaires –
Most recently, self-scoping questionnaires have
this was more of a small, medium, large approach. Deep
been enhanced with self-scoring capabilities where
questionnaires were sent to high-risk vendors and lighter
the questionnaire is assessed in real time. These
questionnaires were reserved for lower-risk vendors.
questionnaires, through an automation process and a set
There were issues with maintaining multiple question
of preferred responses, generate issues and follow-up
sets, however.
tasks that help the third-party management team focus
on what is most important.

One, (usually long) Multiple A single, smart Smart assessment

questionnaire used to questionnaires of assessment that that pre-scores
assess all vendors varying lengths used includes questions answers (good vs bad)
to vet vendors in based on inherent and automatically
different risk tiers risk and adjusts mid- generates issues and
assessment based on follow-ups to reduce
vendors’ answers review time

ONE SIZE MULTIPLE SELF- SELF-

“FITS” ALL VERSIONS SCOPING SCORING

Figure 3.6 – The evolution of the TPRM assessment questionnaire

For a more in-depth look at how assessment tools have evolved, download ProcessUnity’s guide, The Evolution of
the Third-Party Due Diligence Questionnaire.

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 14

 RESIDUAL RISK AND
4. REVIEW CADENCES

With the inherent risk scoring system in place, it can be used to determine residual risk, and to set up the
organization’s post-contract review cadences, defining how often and how deep the company needs to go with
ongoing monitoring moving forward.

Residual Risk Determines Scope and Combining the inherent risk rating and the assessment
Frequency review rating determines a residual risk score. This will
determine how often assessments need to be performed
Take the vendor’s initial inherent risk score and combine
and how deep the assessment needs to be.
it with the score from the previous assessment.
Let’s look at what this means for critical vendors.
Inherent Risk Categories A critical vendor with:
• Critical • Medium • No Prior Review will be rated Critical for residual risk,
• High • Low required to submit to the deepest due diligence, and
the assessment will be required immediately.

Assessment Review Rating • An Unsatisfactory review will be rated Critical

• No Prior Review: Company is a new vendor or for residual risk, required to submit the deepest
has never completed an assessment review due diligence, and the assessment will be
required annually.
• Unsatisfactory: Company performed poorly in
last assessment review
• A Needs Improvement rating will be rated
Critical for residual risk, required to submit the
• Needs Improvement: Company did okay, but deepest due diligence, and the assessment will be
needs to improve required annually.
• Satisfactory: Company passed and performed • A Satisfactory assessment will have its residual risk
well in most recent assessment rating lowered to High and will be required to submit
less-intense due diligence annually.

Inherent Previous Assessment Residual Assessment Assessment

Risk Review Rating Risk Scope Frequency

No Prior Review Critical SIG Core ASAP

Unsatisfactory Critical SIG Core Annual

CRITICAL
Needs Improvement Critical SIG Core Annual

Satisfactory High SIG Lite Annual

No Prior Review High SIG Lite ASAP

Figure 4.1 – Residual risk calculation for critical vendors
Unsatisfactory High SIG Lite Biennial
HIGH
Needs Improvement High SIG Lite Biennial

Satisfactory Medium SIG Lite Biennial

No Prior Review Medium SIG Lite ASAP

Unsatisfactory Medium SIG Lite Biennial

MEDIUM THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 15
Needs Improvement Medium SIG Lite Biennial

Satisfactory Low SIG Lite Triennial

 Inherent Previous Assessment Residual Assessment Assessment
Risk Review Rating Risk Scope Frequency

No Prior Review Critical SIG Core ASAP

Unsatisfactory Critical SIG Core Annual

CRITICAL
Needs Improvement Critical SIG Core Annual

Satisfactory High SIG Lite Annual

No Prior Review High SIG Lite ASAP

Unsatisfactory High SIG Lite Biennial

HIGH
Needs Improvement High SIG Lite Biennial

Satisfactory Medium SIG Lite Biennial

No Prior Review Medium SIG Lite ASAP

Unsatisfactory Medium SIG Lite Biennial

MEDIUM
Needs Improvement Medium SIG Lite Biennial

Satisfactory Low SIG Lite Triennial

N/A Low N/A N/A

N/A Low N/A N/A

LOW
N/A Low N/A N/A

N/A Low N/A N/A

Figure 4.2 – Residual risk determines scope and frequency of periodic due diligence

As vendors perform better compared with their previous assessment ratings, their residual risk score gets dropped
down, and their assessments become lighter and less frequent.

Many third-party management teams are small and have limited resources but want to improve their programs and
expand their abilities or team. There’s help: third-party risk management programs can be augmented with external
expert content and managed services.

SIG: A standard information gathering questionnaire published by the Santa Fe

Group’s global industry membership organization Shared Assessments. There are two
standard versions of the questionnaire, the in-depth SIG Core with 850 questions and
the less intrusive SIG Lite with 350 questions. SIG questionnaires are updated annually
to address emerging security and privacy challenges, regulatory changes, new trends,
and updated best practices in third-party risk management.

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 16

 GETTING OUTSIDE HELP: EXTERNAL
5. CONTENT AND MANAGED SERVICES
Expert Content
There are a number of organizations providing questionnaires, which are the industry standard.
expert content that can be included into third-party A consortium of organizations have come together to
management programs. Increasingly, organizations agree on an industry standard assessment template
are pulling information from cybersecurity ratings and many vendors have standardized their answers
services and financial health scores to validate what on the template to make the process easier.
vendors are saying in their assessments. Examples of Assessment Databases/Utilities: Organizations
expert content include: like TruSight, which is focused on banking
Cybersecurity ratings: Companies like BitSight, assess the vendors that frequently work for
RiskRecon and SecurityScorecard ping vendors’ banks and then provides completed assessments
infrastructures, look for holes, and assign scores. for a fee, relieving banks of the necessity to perform
that work themselves – essentially outsourced
Financial health scores: RapidRatings and Dun & assessment services.
Bradstreet examine companies’ finances to determine if
they pay their bills (on time or at all) and assign scores. By incorporating outside resources, TPRM teams
gain virtual analysts that can compare expert ratings
Negative news feeds: To address reputational risk, against submitted due diligence and shine a light on
Refinitiv examines if companies are in the news for a discrepancy before it becomes a real issue. Score
reasons they shouldn’t be. or ratings changes can also be used post-contract,
Anti-money laundering (AML) and terrorism financing: especially in between periodic due diligence. TPRM
Refinitiv provides insight into these issues. teams can set alerts when changes occur across
any of these content sources to serve as virtual
Assessment questionnaires: Shared Assessments is
watchdogs to keep an eye on vendors for continuous
a non-profit that provides the SIG Core and SIG Lite
ongoing monitoring.

Line of Request
Business 1. Request Denied
Third-Party Service

Follow Up
No
No Low Critical / High / No
Yes Medium Follow Up
Yes

Third-Party Advance
Inherent
Request
Risk
Manager 2. Review Request?
Level 3. Send 5. Analyze 6. Create 7. Close 8. Agreement Approved
Third-Party Assessment Assessment Related Issues Assessment in Review
Service Request

ALERT!
Questionable Financial Health
Third-Party Score!
Contact 4. Assessment
Response

Figure 5.1 – Expert content serves as a virtual assistant during the onboarding process

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 17

 Line of
Business

Follow Up
ALERT!
Third-Party Cybersecurity Rating Below
Manager 1. Send 3. Analyze 4. Create 5. Close Acceptable Threshold! Please
Assessment Assessment Related Issues Assessment Reassess.

Third-Party
Contact 2. Assessment
Response

Figure 5.2 – Expert content alerts TPRM teams to changes in vendor status in between periodic due diligence

Managed Services Ultimately, However, You Own The Risk!

Another way organizations are augmenting their team Even though assessment work is being performed by
is through managed services. Companies work with another organization, work still needs to be done and
consulting partners, typically organizations such as their findings need to be inspected.
EY, Crowe or Grant Thornton, or boutique firms like
CastleHill Risk Solutions in the USA or DVV or Cybersel
in Europe that provide outsourced assessments for a
portion of an organization’s vendor population.

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 18

 ASSESSING YOUR PROGRAM’S MATURITY
6. AND IDENTIFYING STEPS TO IMPROVE

Programs cannot be improved without understanding where you are today

and defining where you want to go in the future.

Determining Where You Are on the Maturity Curve

Informal programs: Heavy on spreadsheets and no Optimized programs: Mature programs with a high
involvement of LOB users. level of engagement with LOB users and executives
that executes vendor service reviews, incorporates fully
Reactive programs: A small team that leverages a one-
automated processes, trend analyses, and reporting.
size-fits-all questionnaire and has only minor involvement
These programs perform ROI-based activities such as
from LOB users and little executive support.
negotiating better contracts, adding SLAs into contracts,
Proactive programs: A formal team, with a defined tracking SLAs, and bringing in external data to augment
program that performs some inherent risk calculations the program and help create more holistic views of
and uses inherent risk calculations to scope vendors. Optimized programs incorporate continuous
assessments and assign scores. Proactive programs improvements to increase efficiency and manage the
use inherent risk to determine residual risk, they changing landscape.
capture, manage, and track issues throughout the
process, and they incorporate automation to streamline
administration tasks.

Dedicated team & available

external resources
High-level of LOB involvement
and active executive promotion
Dedicated team with a formally Fully automated processes
defined program Trend analysis
Inherent risk calculations Comprehensive reporting
Risk-based assessments
Contracts managed with
Single resource / small team scoping
SLA capabilities
Manual questionnaire reviews Assessment scoring
and due diligence distribution Integration with external data
Calculated residual risk sources / providers
Little to no LOB involvement or
Informal, ad hoc approach Issues management Continuous program
executive support
improvement
Manual processes Program automation via
(spreadsheets, email) TPRM technology

No involvement from LOB

MATURITY

INFORMAL REACTIVE PROACTIVE OPTIMIZED

TIME

Figure 6.1 – The Third-Party Risk Management Maturity Model

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 19

Take steps to advance your program (and your career)
Here are the steps you can take to move your program to the next level:

Informal to Reactive program: The key advantage in moving from informal to reactive is a blank slate. Find peers in
the industry that are “better” than you are; ask how they are running their programs and find out what mistakes they
made so you can avoid them. Formalize your program. Document your workflows and inherent risk scoring system.
Surface results (and issues) to the executive team.

Reactive to Proactive program: Get rid of spreadsheets and email. Establish a third-party risk management system
to manage data and automate manual tasks. Define inherent risk and residual risk. The key advantage here is your
experiential knowledge regarding what is and what is not working. Push aside what is not working and focus on
what is.

Proactive to Optimized program: When your organization reaches the proactive level, seek to increase LOB
involvement (use LOB involvement to help with inherent riskscores early in the process and with performance reviews
after contracts have been signed). Begin looking beyond early phases of vendor risk management lifecycle to focus
on ROI generating opportunities and incorporate contract management and SLA tracking. The advantage here,
especially for highly-regulated organizations, is that at this stage your organization should have consistency with your
regulators and audits should be more routine and less challenging, which will lead to regulators having confidence in
your organization.

Optimized to Better Optimized: When your organization reaches the top of the mountain, it has all of the data
it needs to make better business decisions around contracts and negotiations and put KPIs, SLAs and other
performance metrics in place. Continue to transform a cost-of-doing-business into an ROI center for the organization.

INFORMAL REACTIVE PROACTIVE OPTIMIZED

Formalize your program Nix the one-size-fits all Increase LOB involvement and Focus on cost reduction and
questionnaire executive promotion vendor service quality
Document, document,
document Implement a repository for Extend beyond onboarding Advantage: Improved
Socialize program’s charter
TPRM data and due diligence negotiation power based
with executives Calculate inherent and on accurate, actionable data
Improve contract management on vendors’ ability to meet
residual risk and SLA tracking
Advantage: Blank slate KPIs, SLAs and other
Look to automation Incorporate external data performance metrics
Advantage: Leverage your into onboarding and
recent experience to determine continuous monitoring
what’s working…and what’s Advantage: Consistency builds
not working confidence with regulators

Figure 6.2 – Keys to maturing your TPRM program

These are truly achievable goals. No matter where you are in your vendor risk maturity there is always an opportunity
for growth and improvement: you will find that your program is one that will mature over time, increasing in value as
you gain experience.

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 20

Conclusion About ProcessUnity
By implementing these best practices, you will be ProcessUnity is the leader in third-party risk
well on your way to a successful TPRM program and management automation. ProcessUnity Vendor Risk
ProcessUnity is here to help you along the way. While Management provides:
there is no silver bullet to eliminate risk in its entirety,
• Programs for organizations of all sizes and maturity
you will find by working together with our experts,
we can prepare your organization to meet any future • Built-in best practices
changes and challenges to your vendor landscape with • Unparalleled subject matter expertise
confidence. We are a leading provider of Third-Party
Risk Management software tools that organizations use • Short deployment times
to automate and streamline their programs. We work • A documented history of successful client
with organizations of all sizes, with different levels of partnerships with hundreds of successful
maturity, helping them advance their programs to realize implementations
greater value and reduce more risk. To learn more about
ProcessUnity Vendor Risk Management visit us at
www.processunity.com/automate. Learn more about ProcessUnity
Vendor Risk Management at
www.processunity.com/automate.

THIRD-PARTY RISK MANAGEMENT BEST PRACTICES | 21

 More Third-Party Risk
Management Guides
Enjoy this guide? Visit
www.processunity.com/resources
for more best-practice guides,
videos and ebooks on third-party
risk management.

www.processunity.com

[email protected]

978.451.7655

Twitter: @processunity
LinkedIn: ProcessUnity

 ProcessUnity
33 Bradford Street
Concord, MA 01742
United States

201102