Third Party Vendor Risk: A Continuous Mitigation Strategy


In today’s environment of complex financial products, tighter regulations and increasingly connected global financial institutions, the last thing any multinational organization wants to worry about are business and compliance risks introduced by third party vendors. External vendors have come to play such an important role in key business functions that most organizations cannot compete globally without leaning on an array of outsourced services and third party providers. Yet, too often, large institutions struggle to ensure vendor compliance and information security. We admit, a risk-free relationship is unlikely; however, an on-going vendor relationship management framework can ensure real-time monitoring and mitigate risks well in advance of more serious problems.


We have found that most mature organizations have at least a basic vendor selection and onboarding process in place that involves any number of checkpoints between initiating a vendor relationship and final approval and onboarding. While it is important to continuously evaluate these basic processes to ensure clearly defined criteria for information security, contract negotiation and vendor obligations, risk management cannot end once vendors have cleared the selection and onboarding process. In order to anticipate risks within an organization’s third party ecosystem, a live, on-going vendor management strategy must be implemented. Integral to such a strategy are vendor feedback mechanisms and iterative review processes as seen in Exhibit 1. However, in addition to developing stronger, more interactive relationships with third-party vendors, if properly implemented, the strategy allows organizations to continuously improve the vendor management process with little to no disruption in daily business functions.

Exhibit 1: Continuous Incremental Improvement Roadmap

third-party-vendor-risk-1 fixed


Many regulatory agencies require third-party vendors to achieve the same level of compliance and information security as is required of the financial institutions they serve. Given the ever changing regulatory environment, the complicated process of assuring vendor compliance succumbs to even more risk when vendor oversight becomes lax after a given third-party vendor is approved and on-boarded. To remain competitive, financial institutions must strengthen vendor relationships and implement live feedback processes that can be regularly improved and updated, while also providing the clearest insight into vendor operations. In doing so, a truly committed financial institution can not only reap the benefits of vendor risk mitigation, but also emerge as an industry leader in vendor information security and risk management.

Read More