Professional Documents
Culture Documents
Third-Party Risk
Management Policy
The policy identifies rules and requirements, roles and responsibilities, governance, oversight
mechanisms, and clearly defines non-negotiable requirements for managing third-party risk at
the organization. By following the TPRM policy, organizations set clear, consistent standards for
managing third-party risks and protecting the organization and customers.
NOTE:
Regulatory guidance has played a significant role in shaping TPRM best
practices over time. Even if your organization isn’t in a regulated
industry, it’s helpful to acquaint yourself with various TPRM
regulations to understand how current best practices have evolved
and the part they play in your TPRM policy.
customize your policy to reflect the actual practices and standards of TPRM
DO specific to your organization.
Policies must always reflect the current state vs stating what the organization should
do or will do one day. Auditors and regulators will cite policies that differ from actual
practices.
keep the policy as brief and practical as possible. It should convey relevant
DO
information on the rules and requirements of TPRM to all stakeholders.
DON’T include processes or actual procedures in your policy. It’s not that this
information isn’t essential – it is! But it doesn’t belong in a policy; they
aren’t meant to instruct the reader on executing specific requirements.
Specific details and instructions are better suited for processes and procedures.
These may change slightly depending on the stakeholder.
1. Overview and Background: This section describes why your organization has TPRM and
provides the reader with enough information to understand the background of the policy,
why you need it, and the risks of not having it.
2. Policy Statement and Purpose: This details the policy’s purpose, which usually boils
down to managing the risks associated with third-party/vendor relationships and meeting
regulatory expectations and best practices.
3. Terms: This section should include specific definitions of key terms used within your
policy. This shouldn’t be confused with a glossary. Use this section to define the
most important terms in the policy. Examples include Third Party, Third-Party Risk
Management, and Vendor Risk Management (VRM).
4. TPRM Scope: This details which types of third-party relationships are in scope for the
policy, program, and practice.
NOTE:
The Interagency Guidance on Third-Party Relationships defines a third party to
include all business relationships (excluding customers). This expansion goes beyond
the previous scope of TPRM, which has been limited to traditional vendors, suppliers,
and service providers. TPRM now includes fintech relationships, referral and revenue
sharing agreements, financial partners, etc.
5. TPRM Oversight: This details third-party risk oversight accountability and briefly describes
how that oversight is executed within your organization. Ensure this content reflects how
your organization assigns and manages responsibilities.
6. Oversight Roles and Responsibilities: This goes into more detail about specific TPRM roles
and responsibilities and might include the following:
• The Board of Directors • Independent Reviewers (Audit)
• Senior Management • Risk or Third-Party Risk Committees
NOTE:
The Interagency Guidance has specific expectations regarding the responsibilities of senior
management and the board of directors that should be included in your policy if you’re
regulated by these entities.
7. TPRM/VRM Roles and Responsibilities: This section will describe the roles and
responsibilities for stakeholders and may include:
• Business Unit Management • Procurement or Supply Chain
Management
• Third-Party Owners or Managers
• Subject Matter Experts
• Third-Party Risk Management
• Legal Counsel
8. Documentation and Reporting: This section should address the requirement for TPRM
reporting to be made available to the board and senior management at regular intervals and
that documented evidence is retained as proof that requirements are fulfilled.
9. TPRM Program Requirements by Lifecycle Stage and Activity: This section should
provide a brief overview of the TPRM lifecycle and include individual subsections that
address specific required activities of the TPRM lifecycle.
Make sure you include your risk rating scale and describe the attributes of each risk level.
Don’t forget to include the criteria used to determine if a third party will be considered
critical or non-critical.
• Due Diligence: This section should provide a brief description of due diligence
requirements and areas of review. It’s recommended that you place an emphasis on risk-
based due diligence. This requires that critical or high-risk relationships are subject to
the most robust and thorough due diligence and that due diligence must be successfully
completed before the execution of any contract or legal agreement.
• Contracting: This should outline your requirements for third-party contract structuring,
negotiation, reviews, approval, and management.
• Periodic Risk Assessments: Use this section to describe the need for periodic re-
assessment of inherent risks and updating due diligence documents. Make sure to include
criteria that would justify a full third-party risk review outside of scheduled intervals such
as regulatory changes, declining performance, or risk events such as a data breach.
13. Associated Policies: This section should include a listing and hyperlinks to any other
governing policies or requirements. For example: Contract Approval Policy.
3. Less is generally more. You don’t always need a lengthy policy. In many cases, shorter is
better. However, you must address all necessary elements and requirements while avoiding
getting caught up on page count or document length. Focus on clearly communicating the
requirements.
4. Your policy must reflect actual practices. It’s important to reiterate this again. There’s an
expectation that your policy contains your actual practices and requirements. Having an
auditor or examiner find gaps in your program is better than receiving an audit finding for
noncompliance with an aspirational or unenforceable policy.
5. Ask for stakeholder review and feedback. Developing a policy is an important process that
can benefit from transparency and collaboration. By bringing together the key stakeholders to
provide input, identify inaccuracies, and suggest changes, you can create a policy that is more
effective and widely accepted.
Third-Party Risk
management program. This free template contains Management Policy
best practice policy content, descriptions, and Template
processes your organization can use to customize
and align to your own third-party risk management
framework.
Download Now
Download Now
About Venminder
Venminder is an industry recognized leader of third-party risk management solutions. Dedicated to third-party risk, the
company is the go-to partner for software, high-quality assessments on vendor controls, certified subject-matter expertise,
and education.
Venminder’s platform provides a centralized location to execute a third-party risk management program. It enables users
to store documentation, onboard a vendor, track contracts, manage SLAs, send and manage questionnaires, manage due
diligence and oversight, complete risk assessments, create workflows, run reporting, and more.
Assessments performed by Venminder’s qualified experts, including CISSPs, CPAs, financial risk analysts, paralegals and more,
are readily available in an online exchange library. The assessments enable customers to identify possible risks and understand
areas of strength on their vendors’ information security and privacy standards, SOC reports, financial viability, business
continuity/disaster recovery preparedness, contractual standards, regulatory compliance, and more.