The Third-Party Vendor Risk Management Lifecycle: The Definitive Guide

Your organization encounters distinct risks at each step of the vendor relationship, making it important to develop a TPRM program that addresses the entire third-party lifecycle.
Scott Lang
VP, Product Marketing
March 07, 2024
Blog Third Party Vendor Risk Lifecycle Guide 03 24

Understanding your organization's third-party risk management lifecycle is crucial to identifying and remediating vendor and supplier risks. However, it’s a common mistake to view third-party risk management (TPRM) as a one-time risk assessment and remediation initiative.

The fact is, your organization encounters distinct risks at each step of the vendor relationship, so it’s important to develop a TPRM program that can address the entire third-party lifecycle. A programmatic process is the fastest path to stopping the pain of third-party risk management, making informed risk-based decisions, and adapting and growing your program over time. This post covers the key stages of the third-party lifecycle and shares best practices for mitigating risk at each stage.

1. Vendor Sourcing and Selection

Vendor risk management starts with vendor selection, often involving multiple teams with varied priorities. For example, engineering prioritizes a vendor's technical capabilities, procurement focuses on business stability, security evaluates data protection controls, and compliance checks for reporting and auditing.

In addition, vendors often provide inconsistent and/or contradictory answers on vendor risk assessment questionnaires. This can make it extremely difficult to accurately gauge the risk they pose to your organization. These issues can become particularly acute when organizations lack a single source of truth for vendor information.

Vendor Sourcing and Selection Best Practices

Use a Vendor Risk Management Database

Many organizations are still stuck using spreadsheets to correlate vendor risk assessment questionnaire answers with security controls, compliance, and other requirements. Consider using a vendor risk management database or a third-party risk management platform to speed selection, improve vendor risk identification, and maintain a single source of truth for vendor data.

Base Standardized Questionnaires on Profiled Risk

Each vendor has a different degree of profiled risk (i.e., risk related to the service they perform for your organization). A vendor dealing with personal identifiable information (PII) or protected health information (PHI) will have a dramatically higher risk profile than a plumbing company. Create standardized questionnaires for different vendor tiers based on profiled risk. For companies with low profiled risk, a simple questionnaire may suffice, while companies that interact with your IT environment or sensitive data may need a more comprehensive questionnaire.

Incorporate ESG Into Your Vendor Selection Process

Environmental, social, and governance (ESG) risk is becoming increasingly important for companies around the world. Both investors and consumers are beginning to expect that companies carefully consider the environmental, ethical, and social costs associated with their third parties. Incorporating ESG risk from the beginning of the vendor risk management lifecycle alongside evaluations of security and data privacy controls can help you avoid companies with questionable track records regarding environmental destruction, modern slavery, and other ethically problematic business practices.

The Third-Party Risk Management Lifecycle

2. Intake and Onboarding

The process for onboarding vendors typically involves a manual or bulk upload of profile information. Connecting a pre-configured spreadsheet or API to an existing vendor management or procurement solution is a more efficient way to create a central repository of vendors. Leverage role-based access to enable different teams to populate vendor data and invite other employees to contribute.

Vendor Intake and Onboarding Best Practices

Create a Formal Approval Process

There should be a documented, formal approval process for onboarding new vendors. Consider including standard templates for payment terms, invoicing, and information security standards as part of the supplier onboarding process.

Set and Communicate Realistic Onboarding Timeframes

Onboarding can be a long process. You need to provide vendors with credentials to access facilities or systems; ensure that they are able to perform their roles; and iron out payment terms and other processes. Make sure to set realistic onboarding timeframes and communicate them to both your vendors and internal departments.

Keep Compliance in Focus

Many organizations rely on their initial assessment of third-party compliance to maintain compliance throughout the vendor lifecycle. However, it's crucial to continuously consider compliance requirements as the contract evolves. Scope creep often occurs, leading to vendors gaining access to sensitive data and systems not initially considered during the sourcing and selection phases. Ensure you fully understand the location of your data and the extent of your vendors' access during the onboarding phase. Regularly review and adjust the vendors' access and the necessary security controls as needed.

Automate Where Possible

Onboarding new vendors can be time-consuming. Time constraints can become particularly acute when simultaneously onboarding multiple vendors. That’s why automation is key to a scalable third-party risk management program. For instance, you can automate the distribution of questionnaires and make it easy for team members to share intake forms.

3. Scoring Inherent Risk

Inherent risk scoring is a key part of the third-party risk management lifecycle. Not every vendor requires the same scrutiny. For example, an office supply vendor presents lower organizational risk than one providing critical parts or legal services. An organization located in a politically volatile location, with a history of breaches, or with a poor credit history presents more risk and warrants increased due diligence.

To properly understand the risk posed by a vendor, you must be able to calculate inherent risk. This is the vendor’s risk level before accounting for any specific controls required by your organization. Gaining a comprehensive view of inherent risks sets a baseline and guides your decisions on the necessary due diligence. After establishing this baseline for inherent risk, calculating the residual risk—the risk remaining after applying controls—becomes much simpler.

Inherent risk also plays a crucial role in decisions regarding vendor profiling, tiering, and categorization. By aligning vendor assessments with the risks and standards most relevant to a business, its customers, and regulatory bodies, this approach speeds up risk assessments.

Risk Scoring Best Practices

Map Your Vendor Risk Assessment to Compliance Requirements

Questionnaires should reflect any compliance requirements that your organization falls under. If your vendor has access to sensitive information such as PII, PHI or financial information, you need to ensure that you map your organization's compliance requirements to your vendor risk questionnaires. Below are some questions that should come up during the risk assessment:

  • Is the organization certified to any third-party information security standards or frameworks? (e.g., SOC2, NIST 800-53, NIST CSF, CMMC)
  • Does the organization fall under cybersecurity or information security compliance requirements? If so, which ones?
  • What policies and processes are in place for sharing customer data with third and fourth parties?

Don’t Go It Alone

Using a TPRM platform can dramatically speed up vendor risk assessments and allow you to quickly map questionnaire responses to compliance requirements. In addition, dedicated third-party risk management solutions like Prevalent offer built-in, customizable inherent risk questionnaires that can make it easy to seamlessly identify vendor risk.

Utilize Scoring to Normalize Results and Provide Actionable Insights

It’s important to understand the potential ramifications of a supplier’s failure to deliver products or services to your organization. Accordingly, you should leverage a scoring system to determine each supplier’s tier. This could include the following criteria:

  • Operational or client-facing processes
  • Interaction with protected data
  • Financial status and implications
  • Legal and regulatory obligations
  • Reputation
  • Geography (e.g., concentration risk)

Once you define supplier tiers, it should be easy to understand which suppliers are most critical. For example, you should be able to run a report on all suppliers that are US-based, handle personal data, and are top-tier.

Having vetted information earlier in the process and in an easily accessible location enables you to “right-size” due diligence initiatives, focus on vendors with the highest risk, and speed the overall process.

Navigating the Vendor Risk Lifecycle: Keys to Success

This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.

Read Now
Feature navigating vendor risk lifecycle

4. Assessing Vendors & Remediating Risks

The level of risk posed by different third parties will vary according to their criticality to your business and other factors. Likewise, the criteria for each tier of third parties will also vary. For instance, the criteria for a parts vendor will be different from those used for evaluating cloud hosting services.

Organizations with immature TPRM programs may address different vendor tiers by creating individual, spreadsheet-based surveys for each new project; constantly “reinventing the wheel.” Responses to these surveys can differ in the level of detail and completeness, making it difficult to evaluate overall risk and required controls. Tracking open items that require remediation and ensuring that remediation controls are consistent and adequate can be difficult, putting unnecessary demands on scarce security, risk, and compliance resources.

Vendor Assessment & Remediation Best Practices

Leverage a Shared Library

Third-party risk management processes can be taxing for under-resourced teams. Data collection processes and vendor back-and-forth communications account for the largest share of time needed to reduce risk and complete assessment assurance. Compounding this issue is the ever-shifting regulatory landscape, which requires expertise to interpret compliance reporting obligations. Achieving compliance and meeting vendor risk management requirements while maximizing your team’s skill sets is a balancing act, for sure.

To accommodate resource constraints, many organizations – especially those with a solid vendor tiering plan – choose to leverage completed content already submitted and shared within an industry exchange. These vendor exchanges are self-fulfilling prophecies – the more vendors participate, the greater the overlap with other enterprises. This speeds the risk identification and mitigation processes and minimizes the time spent collecting data.

Ensure Questionnaire Flexibility

Vendor risk questionnaires aren’t “one size fits all.” Utilizing a third-party risk management platform that has multiple options for questionnaires, as well as the ability to generate custom questionnaires, can make vendor assessments far simpler. Using a dedicated platform can reduce the manual labor behind vendor survey and response management by 50% and ensure that assessment questionnaires are appropriately matched to each vendor’s profiled risk.

Save Time with Built-In Remediation Guidance

Sometimes vendor assessments reveal concerning facts. It may be that the vendor in question has experienced a data breach, isn’t compliant with data privacy regulations, or lacks a formal cybersecurity program. Platforms that deliver built-in remediation guidance can provide straightforward templates for remediation requests, plus workflow and task management capabilities to facilitate and streamline the entire process.

Compliance Reporting Matters

In many cases, you need to consider information security and data privacy compliance when working with vendors. When you are identifying your third-party risk management strategy, consider how different platforms handle compliance reporting. Utilizing a TPRM platform that includes automated compliance reporting for an array of national and international compliance requirements can dramatically simplify audits and reduce the risk of non-compliance.

Scale Reporting with AI Capabilities

Be sure to consider the value that AI introduces to risk analysis and reporting. Although artificial intelligence isn’t a new concept, the recent mainstream introduction of generative AI technologies enables organizations to solve business problems at an unprecedented scale. Conversational AIs trained on billions of events and years of experience can deliver expert risk management insights in the context of industry guidelines such as NIST, ISO, SOC 2, and others.

5. Continuous Monitoring

Although periodic assessments are essential to understanding how vendors govern their information security and data privacy programs, a typical risk assessment can only provide a snapshot of your organization’s risk profile at a single point in time. This profile can rapidly change as threats evolve, new breaches occur, and business challenges emerge.

Constant monitoring of a third party’s cybersecurity practices is important. So too is gaining visibility into other types of business changes such as financial, reputational, compliance, and supply chain issues that can create business risk.

Unfortunately, organizations rarely have access to this data in a way that enables security and risk teams to be quickly notified, and it often remains unincorporated into a central register for decision-making. Instead, many organizations rely on manual processes, disparate tools, vendor notifications, and news reports.

Third-Party Monitoring Best Practices

Don’t Forget Fourth and Nth Parties

It can be tempting to diligently monitor your third parties while forgetting about their third parties and Nth parties. If your vendor relies on other companies to fulfill contracts and run their business, these other parties' security exposures or operational issues may ultimately affect your organization.

Therefore, during the risk assessment process, you should identify any fourth parties critical to your third party's success. Based on their risk to your third party, consider implementing a scaled-back cyber and financial monitoring process for these fourth parties.

Consider Multiple Types of Cyber Risk

Identifying vulnerabilities in a vendor’s public-facing IT systems is only part of the continuous monitoring equation. It’s important to go beyond vulnerability scanning to reveal other indicators of cyber risk, including:

  • Breach events – A large volume of breaches indicate vulnerabilities in a vendor's security program and could lead to regulatory pressures.
  • Dark web chatter – Recent, frequent mentions of a company on the Dark Web often correlate with more threat activity against the company, increasing the likelihood of attack. Attention on dark web markets may indicate the illicit sale of company assets or accounts, or fraud schemes.
  • Domain abuse/typosquatting – New domain registrations with typosquatting-style similarity to existing corporate domains are potential indications of domain abuse (such as phishing), defensive registration to prevent or mitigate domain abuse, or both.
  • Email security – Sender policy framework (SPF) policy configurations; domain keys identified mail (DKIM); and domain-based message authentication, reporting, and conformance (DMARC).
  • Leaked credentials – Exposed credentials and emails indicate potential password or corporate email address reuse by company employees, raising the risk of credential stuffing attacks and targeting by threat actors.
  • Incidents – Security breach disclosures and validated cyber-attack reports signal when a company has likely experienced a recent cyber-attack, breach, or event that jeopardized the company’s information assets.
  • Infrastructure exposures – These include IT policy violations, abuse of company infrastructure, infections in company infrastructure, malware, misconfigurations, vulnerabilities, infected hosts, and unsupported software.
  • Web application security – SSL/TLS certificates and configurations.

Don’t Stop at Cyber Risk

Many companies focus on cyber risk because it is usually easily quantifiable and straightforward to address. However, cyber risk monitoring should be complemented by operational, financial, and reputational monitoring. When building out your third-party monitoring program, be sure to account for these other types of risk. Some questions to consider:

  • Is this vendor financially healthy? Do they have a significant possibility of going bankrupt or experiencing other financial disruptions in the foreseeable future?
  • Does this vendor engage in ethical business practices?
  • Does this vendor abide by applicable laws and regulations?

Free TPRM Maturity Assessment

Work with Prevalent experts to get in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.

Get Started
Datasheet tprm platform nov 2019

6. Managing Ongoing Performance and SLAs

Managing risk is a continuous process. Even reliable partners can experience disruptions, and incentives to implement promised controls can wane once an agreement is signed. This changing risk environment requires not only continuous external risk monitoring, but also ongoing visibility into vendor performance obligations.

Some vendors may require scrutiny to ensure remediation commitments are met, and all should be measured against their service level agreements (SLAs). Trying to manage this with spreadsheets or other manual methods can increase the likelihood of missed SLAs and associated business disruptions.

Vendor Management Best Practices

Regularly Assess Vendor Performance

It can be tempting to take a one-and-done approach to assessing vendors. However, this can lead to bad work outcomes and failed business relationships. Performing periodic assessments to ensure that vendors meet their SLAs and other contractual obligations can help catch any issues early.

Define the Right KPIs and KRIs

Defining the right key performance indicators and key risk indicators is critical to effectively evaluating vendor performance. KPIs help ensure that contractual obligations are fulfilled and business objectives are met throughout the contract lifecycle. KRIs can inform your understanding of risks posed by vendors from onboarding to offboarding.

7. Termination and Offboarding

Risk can persist after vendor relationships end. An offboarded vendor holding sensitive data must return and/or securely destroy that data; access to internal systems needs to be terminated; and support obligations may outlive a purchase agreement. However, Prevalent research found that 39 percent of companies neither track nor remediate third-party risks during offboarding. This presents ongoing business, security, and IP risks.

Vendor Offboarding Best Practices

Don’t Assume Data Has Been Deleted

It’s common to assume that third parties will delete sensitive customer data and other information upon termination of their contracts. However, this is not always the case. Take the time to reach out to your third parties and ensure that any sensitive information has been erased. It is worth getting this in writing to ensure that there is an audit trail in the case of future incidents.

Confirm that Access to Physical and IT Infrastructure Is Revoked

Once you offboard a vendor, ensure your IT and facilities teams have correctly de-provisioned contractor employees. Confirm that they have revoked all building access and removed all permissions from cloud and IT environments. If a vendor accidentally retains access, your company could be exposed to a future breach. Implementing workflow-based checklists in a central TPRM platform can help ensure a secure offboarding process.

Perform a Thorough Contract Review

Once a vendor completes their work for your organization, review the contract thoroughly to ensure they have met all deliverables. Do not assume they have achieved all milestones and KPIs.

Run a Final Compliance Report

It’s no secret that vendor responsibilities and access can change throughout the vendor lifecycle. Take the time to thoroughly review what systems and data your vendor has accessed. Consider the following questions:

  • Were the vendor's cybersecurity controls adequate to meet your compliance requirements throughout the vendor lifecycle?
  • Was the vendor ever granted elevated permissions or access that was unnecessary to perform their job during the contract?
  • Was the vendor responsible for any security incidents during the contract?
  • Did the vendor put you at risk of being found non-compliant with one or more regulations during the contract?

Asking these questions can help ensure that you maintain compliance with applicable requirements. It can also provide valuable insight into how you can more effectively manage vendor compliance.

Next Steps for Navigating the Vendor Lifecycle

Third-party risk management can be difficult. There are dozens of moving parts across multiple departments, and it can be challenging to coordinate third-party risk assessments, ensure compliance requirements are met, and satisfy different siloed departments. The Prevalent Third-Party Risk Management Platform makes navigating the vendor lifecycle dramatically easier. Learn more about our approach by reading our best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or request a demo today.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo