6 Defense layers for Third Party Risk Management Program Design.

Third Party Provider Risk Program.jpg

Third Party Risk

Third Party Risk Management

Third Party Risk Program Design in a picture.

Given that Vendor Risk Management is all the rage, I wanted to highlight the multi-layered risk management defense factors that I consider as best practice. Note that this is the optimal defense and very much depends on both internal and external considerations.

1. Risk Appetite for Vendor Risk 

2. Risk Assessment Based Due Diligence

3. Standard Contracts

4. Annual audit/security reviews of Vendors

5. Business Continuity Planning

6. Compliance considerations

The documentation should support the design.

Be smart make sure you have Risk Documentation that is current, objective and actionable.

Further Comments

Mitigation of Third Party Risks

Now more than ever, with the juxtapositioning of increased regulation and risk, organizations must conduct vigorous, structured and regular due diligence on third party intermediaries. The risks posed by these parties are many and varied, ranging from cybersecurity to business disaster. Regulators are looking for the methodology, the approach and the sustainability of programs designed to capture and mitigate these risks. Moreover, the regulators are seeking evidence as to how a program and its attendant process are embedded and aligned within the organization risk culture and risk appetite.

Possessing a robust structured program to mitigate these risks can protect corporate reputation, shield executives, board members, and other management from personal and professional liability. Such a program will incorporate at its core a risk-based approach which is a methodical and systematic process of knowing the company’s business, identifying its risks and implementing measures that mitigate those risks.

The considerations outline below throw some light on this and other components of such a program.


The Risk Team of the organization must first establish an inventory of its Third-Party providers and understand the context and operating functions. By doing so, they gain a clear insight of their interaction and engagement channels as well as the criticality they provide.


Considerations include the design of a Risk Framework including the identification and classification of risks within the Risk Taxonomy. These risks should be capable of being aggregated in a Risk Register and framed in a Risk Materiality Schema. This evaluation must result in a Risk Appetite Statement and defined with tolerances and thresholds.


Policies and Procedures will define the paradigm of an Objective Risk Assessment Model which is crucial in creating a risk profile for third parties. The risk profile will range from high to low with a prescribed scope of due diligence. The Policies and Procedures will furthermore, describe the implementation of the system, resources, acceptable mitigants, roles and responsibilities.


The final piece is the monitoring and review of the Third-Party relationship. This is essential as it will ensure that performance standards set by the program are being implemented and adhered too.



John Thackeray