Third-Party Risk Management: Vendor Assessment Guide

Why Third-Party Risk Matters

Modern organisations rely heavily on third parties for technology, data processing, and support services. Each relationship introduces risk: data breaches at vendors, service outages, regulatory violations, and reputational harm are all potential consequences of inadequate oversight. Regulatory expectations for third-party risk management continue to increase across all sectors.

Building a TPRM Programme

A structured Third-Party Risk Management (TPRM) programme provides consistent oversight. Key elements include:

• Governance: Define roles, responsibilities, and escalation procedures
• Inventory: Maintain a complete, current inventory of all third-party relationships
• Risk tiering: Classify vendors based on service criticality and data sensitivity
• Assessment: Conduct due diligence proportionate to the risk tier
• Monitoring: Continuously track vendor performance and risk indicators
• Offboarding: Manage the secure transition or termination of relationships

Conducting Due Diligence

Due diligence depth depends on the risk tier:

High-Risk Vendors (Tier 1): Comprehensive security questionnaire (such as SIG), review of independent audit reports (SOC 2, ISO 27001), on-site or virtual assessment, financial stability review, and business continuity plan review.

Medium-Risk Vendors (Tier 2): Abbreviated security questionnaire, review of relevant certifications, and self-assessment attestation.

Low-Risk Vendors (Tier 3): Basic due diligence, including business verification and standard contract terms.

Designing Effective Vendor Questionnaires

To make questionnaires effective:

• Align questions with your specific risk concerns and regulatory requirements
• Use standardised questionnaires (SIG, CAIQ) as a baseline, then customise
• Focus on outcomes rather than technical specifications
• Request evidence to support responses
• Keep questionnaires proportionate to the risk tier

Ongoing Monitoring

Due diligence at onboarding is insufficient; risks change over time. Implement:

• Annual reassessment of high-risk vendors
• Continuous monitoring using external security rating services
• Tracking vendor performance against service level agreements
• Monitoring news and threat intelligence for vendor-related incidents
• Requiring vendors to notify you of material changes or security incidents

Contractual Controls

Contracts are your primary mechanism for establishing vendor obligations. Key provisions include:

• Data protection and security requirements with minimum standards
• Incident notification timelines and cooperation obligations
• Right to audit, directly or through independent third parties
• Subcontractor approval and flow-down of security requirements
• Data return and destruction obligations upon termination
• Compliance with applicable laws and regulations

Managing the Vendor Lifecycle

TPRM spans from initial evaluation through offboarding: complete due diligence and contracts at onboarding, monitor performance and conduct periodic assessments during the active phase, reassess risk at renewal, and ensure data return and access revocation at offboarding. A mature TPRM programme demonstrates to regulators that your organisation manages vendor risk with appropriate diligence.