Third-Party Risk Framework™
Manage risk from third parties across the full relationship lifecycle.
Third-party risk arises from vendors, suppliers, outsourcers and partners. This framework manages it across the relationship lifecycle, from tiering and due diligence to monitoring and exit.
Critical dependence on vendors creates concentration and continuity risk that goes unmanaged when third parties are not tiered, vetted and monitored.
Manage risk from third parties across the full relationship lifecycle.
- CROs
- Procurement
- Operational-risk teams
- Business owners
- Inventory & tiering
- Due diligence
- Contractual controls & SLAs
- Ongoing monitoring
- Concentration & fourth-party risk
- Exit & continuity
- Procurement and business owners manage relationships; the second line oversees; critical vendors are reported to the Risk Committee.
Fragile
Maturity level 1 of the shared Outliers risk spine — Fragile.
Functional
Maturity level 2 of the shared Outliers risk spine — Functional.
Disciplined
Maturity level 3 of the shared Outliers risk spine — Disciplined.
Strategic
Maturity level 4 of the shared Outliers risk spine — Strategic.
Resilient
Maturity level 5 of the shared Outliers risk spine — Resilient.
- Inventory and tier third parties
- Risk-based due diligence
- Embed contractual controls
- Monitor performance and risk
- Plan exits and continuity
- Third-party risk register
- Due-diligence questionnaire
- Vendor monitoring pack
- Third-party risk policy
- Due-diligence standard
- Vendor exit & continuity standard
- Critical vendors without exit plan
- Overdue due diligence
- Concentration flags
- Vendor incidents
- Which third parties are critical, and what is our exposure?
- Where are we concentrated or single-sourced?
- Do critical vendors have exit and continuity plans?
- How do we monitor vendor risk over time?
Related across the Risk Centre
Across the ecosystem
Knowledge graph · 3 relations