CREATING AND UPDATING YOUR

Third-Party Risk
Management Policy

© 2023 by Venminder, Inc.

 HIGHE
A well-written policy is the foundation of any
successful third-party risk management (TPRM)
program.

However, there isn’t a one-size-fits-all solution to

creating such a policy, as the document requires a
tailored approach. While it can be challenging to create
a policy that fits your organization’s unique needs, it’s
worth the effort, as it can protect your organization and
customers from potential risks arising from third-party
relationships.

What Is a TPRM Policy?

A TPRM policy is a formal document that directs and guides an organization in achieving TPRM
objectives and complying with specific standards. The policy helps ensure consistency, fairness, and
accountability in decision-making and actions. It also mitigates risks and promotes compliance with
laws, regulations, and best practices.

The policy identifies rules and requirements, roles and responsibilities, governance, oversight
mechanisms, and clearly defines non-negotiable requirements for managing third-party risk at
the organization. By following the TPRM policy, organizations set clear, consistent standards for
managing third-party risks and protecting the organization and customers.

NOTE:
Regulatory guidance has played a significant role in shaping TPRM best
practices over time. Even if your organization isn’t in a regulated
industry, it’s helpful to acquaint yourself with various TPRM
regulations to understand how current best practices have evolved
and the part they play in your TPRM policy.

In this eBook, we’ll occasionally reference some of the most

prescriptive regulatory guidance – The Interagency Guidance on
Third-Party Relationships: Risk Management. This became effective
in the summer of 2023. It was developed by three financial regulatory
agencies: the FDIC, the OCC, and the Fed. We often refer to this
guidance because regulatory requirements for the financial industry
are generally considered to be the most comprehensive and often
regarded as the gold standard of TPRM.

Creating and Updating Your Third-Party Risk Management Policy 2

 HIGHE

The Dos and Don’ts of Your TPRM Policy

The following will outline suggested content for your policy, based on regulatory guidance and
best practices. However, there are some important dos and don’ts to keep in mind as you’re
creating the policy.

Here are some guidelines to remember:

customize your policy to reflect the actual practices and standards of TPRM
DO specific to your organization.

include content that doesn’t apply to your organization or include TPRM

DON’T requirements you don’t currently follow.

Policies must always reflect the current state vs stating what the organization should
do or will do one day. Auditors and regulators will cite policies that differ from actual
practices.

keep the policy as brief and practical as possible. It should convey relevant
DO
information on the rules and requirements of TPRM to all stakeholders.

DON’T include processes or actual procedures in your policy. It’s not that this
information isn’t essential – it is! But it doesn’t belong in a policy; they
aren’t meant to instruct the reader on executing specific requirements.

Specific details and instructions are better suited for processes and procedures.
These may change slightly depending on the stakeholder.

Creating and Updating Your Third-Party Risk Management Policy 3

 HIGHE

The Outline of a TPRM Policy

Keeping the tips covered so far in mind, let’s examine what an effective TPRM policy should
generally include:

1. Overview and Background: This section describes why your organization has TPRM and
provides the reader with enough information to understand the background of the policy,
why you need it, and the risks of not having it.

2. Policy Statement and Purpose: This details the policy’s purpose, which usually boils
down to managing the risks associated with third-party/vendor relationships and meeting
regulatory expectations and best practices.

3. Terms: This section should include specific definitions of key terms used within your
policy. This shouldn’t be confused with a glossary. Use this section to define the
most important terms in the policy. Examples include Third Party, Third-Party Risk
Management, and Vendor Risk Management (VRM).

4. TPRM Scope: This details which types of third-party relationships are in scope for the
policy, program, and practice.

NOTE:
The Interagency Guidance on Third-Party Relationships defines a third party to
include all business relationships (excluding customers). This expansion goes beyond
the previous scope of TPRM, which has been limited to traditional vendors, suppliers,
and service providers. TPRM now includes fintech relationships, referral and revenue
sharing agreements, financial partners, etc.

Creating and Updating Your Third-Party Risk Management Policy 4

 HIGHE

5. TPRM Oversight: This details third-party risk oversight accountability and briefly describes
how that oversight is executed within your organization. Ensure this content reflects how
your organization assigns and manages responsibilities.

6. Oversight Roles and Responsibilities: This goes into more detail about specific TPRM roles
and responsibilities and might include the following:
• The Board of Directors • Independent Reviewers (Audit)
• Senior Management • Risk or Third-Party Risk Committees

NOTE:
The Interagency Guidance has specific expectations regarding the responsibilities of senior
management and the board of directors that should be included in your policy if you’re
regulated by these entities.

7. TPRM/VRM Roles and Responsibilities: This section will describe the roles and
responsibilities for stakeholders and may include:
• Business Unit Management • Procurement or Supply Chain
Management
• Third-Party Owners or Managers
• Subject Matter Experts
• Third-Party Risk Management
• Legal Counsel

8. Documentation and Reporting: This section should address the requirement for TPRM
reporting to be made available to the board and senior management at regular intervals and
that documented evidence is retained as proof that requirements are fulfilled.

9. TPRM Program Requirements by Lifecycle Stage and Activity: This section should
provide a brief overview of the TPRM lifecycle and include individual subsections that
address specific required activities of the TPRM lifecycle.

This section should address:

• Planning: It outlines the requirements for planning for

third-party relationships.

• Risk Assessment: This is one of your most important

sections as it provides the requirements for inherent risk
assessments, risk ratings, and determining criticality.

Creating and Updating Your Third-Party Risk Management Policy 5

 HIGHE

Make sure you include your risk rating scale and describe the attributes of each risk level.
Don’t forget to include the criteria used to determine if a third party will be considered
critical or non-critical.

• Due Diligence: This section should provide a brief description of due diligence
requirements and areas of review. It’s recommended that you place an emphasis on risk-
based due diligence. This requires that critical or high-risk relationships are subject to
the most robust and thorough due diligence and that due diligence must be successfully
completed before the execution of any contract or legal agreement.

• Contracting: This should outline your requirements for third-party contract structuring,
negotiation, reviews, approval, and management.

• Ongoing Monitoring: Include requirements for continuous risk monitoring and

performance monitoring at specific intervals. It should also describe the components of
effective risk and performance monitoring.

• Periodic Risk Assessments: Use this section to describe the need for periodic re-
assessment of inherent risks and updating due diligence documents. Make sure to include
criteria that would justify a full third-party risk review outside of scheduled intervals such
as regulatory changes, declining performance, or risk events such as a data breach.

• Termination: Provide an overview of required termination requirements and approvals.

Specific requirements may include the designation of an exit strategy at the beginning of
the relationship, and an approved documented exit plan detailing how the organization will
exit the relationship safely.

10. Systems of Record: This section should provide

a list of the specific systems of record used in the
execution of TPRM. It might include your TPRM
platform, contract management systems, etc.

11. Noncompliance: Address how the organization

handles noncompliance with the policy.

12. Policy Revisions History: Always keep a record

of your policy revisions, the date the revisions
were made, policy approvers, when the policy
was approved, and effective date.

13. Associated Policies: This section should include a listing and hyperlinks to any other
governing policies or requirements. For example: Contract Approval Policy.

Creating and Updating Your Third-Party Risk Management Policy 6

 HIGHE

Reviewing and Updating the

TPRM Policy
Your policy should be reviewed and approved by the
board of directors and senior management prior to
formal adoption. Once implemented, be sure that the
policy is reviewed (and updated if necessary) at least
annually. However, you may need to revise the policy
more frequently if something at your organization
significantly changes or regulations are added or updated.

5 Best Practices for a TPRM Policy

1. Understand your organization’s policy

writing requirements, format, and style.
If your organization has specific format
requirements (e.g., font, layout, numbering
conventions, etc.) for formal documents such as
policies, be sure to follow them.

2. Keep it general. It’s important to keep in

mind that policies can’t cover every possible
scenario. So, it’s always a good practice to
create policies that are broad enough to be
applicable to various situations while still being
specific enough to convey your expectations.
Additionally, preserving detailed instructions
for program documents and procedures can
help ensure that everyone is on the same page.

Creating and Updating Your Third-Party Risk Management Policy 7

 HIGHE

3. Less is generally more. You don’t always need a lengthy policy. In many cases, shorter is
better. However, you must address all necessary elements and requirements while avoiding
getting caught up on page count or document length. Focus on clearly communicating the
requirements.

4. Your policy must reflect actual practices. It’s important to reiterate this again. There’s an
expectation that your policy contains your actual practices and requirements. Having an
auditor or examiner find gaps in your program is better than receiving an audit finding for
noncompliance with an aspirational or unenforceable policy.

5. Ask for stakeholder review and feedback. Developing a policy is an important process that
can benefit from transparency and collaboration. By bringing together the key stakeholders to
provide input, identify inaccuracies, and suggest changes, you can create a policy that is more
effective and widely accepted.

Developing and implementing a well-written TPRM policy is essential for organizations to

mitigate potential risks and ensure compliance with regulations. A comprehensive TPRM
policy can help organizations identify and assess the risks associated with third-party
relationships, establish risk mitigation strategies, and monitor and manage these risks
over time. A well-written policy should involve transparency and collaboration, allowing
key stakeholders to provide input and identify inaccuracies to ensure effectiveness.

With a strong TPRM policy in

place, organizations can better
protect their assets, reputation,
and customers from potential
third-party risks.

Creating and Updating Your Third-Party Risk Management Policy 8

 Free Template

A policy is the foundation of your third-party risk [Company Name]

Third-Party Risk
management program. This free template contains Management Policy
best practice policy content, descriptions, and Template
processes your organization can use to customize
and align to your own third-party risk management
framework.

Download Now

Download free samples of

Venminder’s vendor Control
Assessments and see how
they empower third-party risk
professionals in mitigating risks.

Download Now

Manage Vendors. Mitigate Risk. Reduce Workload.

+1 (888) 836-6463 | venminder.com

About Venminder
Venminder is an industry recognized leader of third-party risk management solutions. Dedicated to third-party risk, the
company is the go-to partner for software, high-quality assessments on vendor controls, certified subject-matter expertise,
and education.

Venminder’s platform provides a centralized location to execute a third-party risk management program. It enables users
to store documentation, onboard a vendor, track contracts, manage SLAs, send and manage questionnaires, manage due
diligence and oversight, complete risk assessments, create workflows, run reporting, and more.

Assessments performed by Venminder’s qualified experts, including CISSPs, CPAs, financial risk analysts, paralegals and more,
are readily available in an online exchange library. The assessments enable customers to identify possible risks and understand
areas of strength on their vendors’ information security and privacy standards, SOC reports, financial viability, business
continuity/disaster recovery preparedness, contractual standards, regulatory compliance, and more.

© 2023 Venminder, Inc.