shield_lock
JinDaGe
Back to skills
extension
Category: Productivity & OfficeNo API key required

managing-third-party-risk

Structures vendor and third-party risk assessment with due diligence, monitoring, and concentration analysis. Use when assessing vendor risk, conducting third-party due diligence, or monitoring outsourcing risk.

personAuthor: jakexiaohubgithub
open_in_newRepositorydownloadDownload package

Managing Third Party Risk

Structures vendor and third-party risk assessment with due diligence, monitoring, and concentration analysis.

When To Use

  • Onboarding a new vendor, outsourcing partner, or critical service provider
  • Performing periodic re-assessment of existing third-party relationships
  • Evaluating concentration risk across vendor portfolios (e.g., single cloud provider, dominant counterparty)
  • Responding to a third-party incident, control failure, or regulatory finding
  • Preparing for regulatory examinations that cover outsourcing and vendor management (OCC, FFIEC, EBA guidelines) [VERIFY jurisdiction-specific rules]

Inputs To Gather

  • Vendor inventory: Complete list of third parties including name, service category, contract value, contract term, and business owner
  • Criticality classification: Whether the vendor supports a critical business function, handles sensitive data, or has customer-facing exposure
  • Due diligence package: SOC 2 / ISO 27001 reports, financial statements, business continuity plans, insurance certificates, and any prior audit findings
  • Regulatory requirements: Applicable guidance (e.g., OCC Bulletin 2013-29, DORA, APRA CPS 230) [VERIFY which frameworks apply]
  • Existing risk ratings: Prior tiering, residual risk scores, and open remediation items
  • Concentration data: Revenue share per vendor, geographic overlap, technology dependency mapping, fourth-party (subcontractor) disclosures

Workflow

  1. Tier the vendor population

    • Assign each third party to a risk tier (Critical / High / Medium / Low) based on data sensitivity, operational dependency, regulatory exposure, and substitutability
    • Critical-tier vendors trigger full due diligence; low-tier vendors require abbreviated assessment

  2. Conduct due diligence

    • Collect and review SOC reports, financials, BCP/DR plans, and cybersecurity questionnaires
    • Flag gaps: missing reports, qualified audit opinions, declining financial ratios, unresolved findings
    • For critical vendors, assess fourth-party risk — identify key subcontractors and their controls

  3. Score inherent and residual risk

    • Rate each vendor across dimensions: operational, financial, cyber/information security, regulatory/compliance, reputational, and geopolitical
    • Apply mitigating controls (contractual protections, SLA penalties, escrow, audit rights) to arrive at residual risk
    • Document risk acceptance rationale when residual risk exceeds appetite

  4. Analyze concentration risk

    • Map vendor dependencies to business lines and geographies
    • Identify single points of failure: one vendor serving multiple critical functions, heavy reliance on one jurisdiction, shared technology stack
    • Calculate concentration metrics (e.g., top-5 vendor spend as % of total outsourced spend)

  5. Build monitoring and escalation framework

    • Define KRIs per tier: SLA breach rate, financial health triggers, incident frequency, audit finding closure rate
    • Set review cadence: quarterly for critical, annually for high, biennial or event-driven for medium/low
    • Establish escalation paths: who is notified when a KRI breaches threshold, what triggers contract re-negotiation or exit planning

  6. Document and report

    • Produce a third-party risk register with current tier, residual score, open issues, and next review date
    • Prepare board/committee-level summary: aggregate risk heatmap, concentration dashboard, material exceptions

Output

  • Third-party risk register: Vendor name, tier, inherent/residual risk scores, key findings, remediation status, next review date
  • Concentration analysis: Dashboard showing spend concentration, geographic concentration, and fourth-party overlap
  • Due diligence summary per vendor: Controls assessment, gap list, and recommended mitigants
  • Executive risk report: Heatmap of vendor risk by category, trend vs. prior period, material exceptions requiring escalation
  • Monitoring plan: KRI definitions, thresholds, review cadence, and escalation matrix

Quality Checks

  • Every critical-tier vendor has a completed due diligence file dated within the applicable review cycle [VERIFY required frequency per regulation]
  • Concentration thresholds are defined and tested — no single vendor exceeds the board-approved limit without documented risk acceptance
  • Risk scores use a consistent methodology across all vendors; scoring criteria are documented and repeatable
  • Fourth-party dependencies are identified for all critical vendors; gaps are flagged rather than omitted
  • Regulatory mapping is current — confirm the applicable supervisory guidance matches the entity's charter, jurisdiction, and license type [VERIFY]
  • All open remediation items have assigned owners, target dates, and status tracking
  • Mark any data point sourced from vendor self-attestation (vs. independent audit) with [VERIFY]