Vendor Risk Management

This solution is often casually labeled different things, such as vendor risk management, third party risk management, or supplier risk management. In practice these terms do carry different meanings, which holds especially true when it comes to evaluating IRM platform capabilities. Early technology enablement focused on building capabilities related to performing assessments, supplying questionnaires, tracking vendor profiles, and tracking vendor performance. Supply chain management software has been around slightly longer than IRM platforms and have been utilized by organizations to handle the procurement process and maintain master lists of third parties. This class of software products never meant to examine the various aspects of risk related to the vendor. Supply chain tools can also be utilized to track supplier subcontractors, or what the industry now terms fourth party risk. 


The past few years has seen an increase in interest paid to understanding vendors and their associated risks. An increase in regulatory focus as well as high profile cybersecurity attacks related to third party access is driving this sudden uptick in interest.  While there are several regulatory requirements that include references to third party requirements (such as NY Department of Financial Services Cybersecurity, and the General Data Protection Rule), several regulators such as the FFIEC, (Federal Financial institutions Examination Council), the CFPB, (Consumer Financial Protection Bureau), and the OCC (Office of the Comptroller of the Currency) have recently started to focus on it in particular. In addition to managing regulatory requirements, financial institutions are responsible for making sure that third-party vendors that act on their behalf comply with consumer protection rules and laws.  


There are several sources of guidance to help organizations establish a sound vendor risk management program.  For example, the OCC released Bulletin 2013-29 that provides specific guidance on what it expects financial institutions to be doing related to managing third party risk. The OCC is asking banks and other financial services entities to establish risk management capabilities proportionate to the risk related to the third-party relationship.  The basic tasks that should be performed as part of a third-party risk management program described by the OCC include the following:

  • Planning

  • Due diligence

  • Contract negotiations

  • Monitoring

  • Termination


In addition, the OCC recommends performing the following tasks throughout the lifecycle of the relationship:

  • Accountability and oversight

  • Documentation and reporting

  • Independent reviews


It is not uncommon to see third party programs break their functions into three distinct phases:

  • Pre-contract phase

  • Contract phase

  • Post contract phase

While there is plenty of guidance on the various tasks that should be performed as part of a third-party risk management program, specific direction of how to perform the tasks is lacking.  Vendor risk management technology solutions should include the following:


  • Onboarding and due diligence process support

  • Vendor profiles and relationship management support

  • Contract management

  • Assessments

  • Vendor risk scoring

  • Performance metrics and evaluation


In many instances, IRM platforms can be integrated into supply chain tools and processes in order for the solution to provide the necessary risk management capabilities as called out by regulators.  It is common to see purchasing tools that house vendor master lists and contract details to be connected to IRM technology platforms for risk and control assessment processing and then external portals to also be used for third party access to questionnaires. 


Sargon Solutions has a dedicated team of practitioners that have designed, implemented and maintained vendor risk management processes and technology capabilities.   Common use cases we see from clients include the following:


  • Third party data integration

  • Vendor scoring

  • Vendor grouping model

  • Vendor assessment portals




2770 Research Drive

Rochester Hills, MI  48309