How to manage and measure third-party risk

Empower your compliance program with ongoing third-party risk monitoring and reporting

Kelly Maxwell
Content Marketing Specialist, OneTrust
July 10, 2022

photo of two men dressed in business attire chatting at a table outside of a cafe.


The three steps for third-party risk management are crucial for mollifying regulators and boards alike.

  • Remain compliant with the DOJ’s guidance for third-party risk management by vetting and continuously monitoring your third-party relationships.
  • Embrace the power of ongoing risk-based due diligence, refining (and documenting) along the way.
  • Hone your competitive edge with constant and systematic third-party risk reporting.

Learn how to measure the impact of your risk management team and reduce the overall cost and time needed to mitigate third-party risks.

These days, there is so much data available to us. Overburdened by choice, determining exactly which third-party risk metrics to measure and report on can feel like a daunting and endless task. How can you satisfy regulators without spending every waking moment conducting risk assessments?

Since the updated guidance from the Department of Justice (DOJ) emphasizes the importance of ongoing activity and conduct monitoring in the third-party relationship lifecycle, static evaluation is no longer an option. The DOJ’s guidance now asks, “does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?” Precise and ongoing monitoring, as well as an emphasis on the supporting relationship management activities required to execute those activities, are now officially the name of the game.

No matter if you’re a seasoned compliance pro or totally new to the world of risk assessment, today we’ll be unpacking the three crucial steps to manage and measure third-party risk.


Step one: Risk assessment

The first step in third-party relationship management is understanding your unique third-party landscape by conducting risk assessments. If you want to become a trust-based business, protect your brand’s reputation, and ensure compliance, you’ll need to vet and monitor your third-party relationships. But since it is impossible to survey and oversee every individual third-party at one time, especially with limited resources, you’ll need to prioritize the highest-risk relationships first. Take the time to conduct a thorough risk assessment in order to triage your third-party relationships and supporting due diligence activities.


Third-party relationship management

Since third parties aren’t governed by your organization’s oversight, the importance of relationship management cannot be overstated. Businesses, as the first line of defense, need to understand the risks their third-party relationships present by embedding risk management into general business operations. Kick off this process by assigning a relationship manager to every third party your organization does business with. This employee will be responsible for the management, maintenance, evaluation, and reporting on the relationship between your company and the third party. These vital tasks will be essential to the next two steps in the third-party risk monitoring process, detailed below. They must be dependable and knowledgeable enough to tackle the following:

  • Implement key performance indicators (KPIs) to properly measure the objectives and success of your risk management team over time
  • Enable key risk indicators (KRIs) to measure third-party risks, reflecting actual risk exposure
  • Initiate regular contact with the third party
  • Conduct annual meetings with the third party to review their company compliance obligations
  • Prepare annual reports summarizing services provided by the third party
  • Assist the company’s management and leadership with any related third-party issues


Step two: Initial due diligence and review

Since the DOJ emphasized the need for “risk-based due diligence,” your third-party evaluation and KRIs should never be one-size-fits-all. After the initial risk assessment is completed and your high-priority relationships have been identified via triage, risk-based due diligence can officially begin. The 2020 Update to the Evaluation of Corporate Compliance Programs lays out guidance for prioritizing due diligence questionnaires and contracting, requiring high-risk relationships to be managed on an ongoing basis.

The DOJ Update asks, “How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?” If you’ve ended up with a small group of high-priority third parties, then you can evaluate them first. But if you end up with a large group of high-priority parties, you may want to go back and refine your criteria in the triage process. Remember that the DOJ will look at your processes, so you must be able to explain your actions and show your work.


Step three: Ongoing third-party risk reporting

Do you remember those old infomercials with the tagline, “Set it and forget it?” We sure do. Unfortunately, if your third-party risk reporting has any hope of being accurate and reliable, it must be constantly monitored and reported on. No “one and done” data allowed here. But this isn’t just busy work – if properly done, it will end up being the sharpest tool at your disposal. To objectively determine exactly how your compliance terms and conditions are followed, your ongoing monitoring needs to be systematic, independent, and easily documented. Reporting on your data will become second nature if you consistently capture, detail, and analyze your third-party risk. A minimum baseline for third-party monitoring should include the following metrics:

  • Existing compliance programs and code of conduct effectiveness
  • The origin and legitimacy of any funds paid
  • All disbursements made for or on behalf of the company
  • All funds received in connection with work performed and services/equipment provided


What does comprehensive third-party risk assessment look like?

Beyond the basic third-party monitoring metrics listed above, consider the following list for additional data to evaluate:

  • Compliance training program review, both program content and attendance records, to determine program effectiveness
  • Third-party hotline program review
  • Employee expense report review for employees in high-risk positions or high-risk countries
  • Gift, travel, and entertainment (GT&E) spending limits given to or accepted by governmental officials — were there any related overages?


KPIs to consider for a successful third-party risk management program

Remember that the measurements don’t stop with your third-party vendors; your KPIs will detail your program’s success overtime. Own the process by documenting the impact and effectiveness of your internal third-party risk management metrics. A few of these KPIs to consider are listed below as a jumping-off point. Tailor your risk management metrics to fit your specific organization.

This KPI should ideally show low risk detection times. How long does it take your team to detect risks? How can you reduce your detection times?

How responsive is your team, once a risk has been detected? The speedier the response, the lower the potential harm. Aim to reduce this KPI overtime to signal efficiency and effectiveness to your Board.

How much does it cost your company to manage third-party risks? As efficiency improves, is that figure decreasing over time? Additionally, if costs are lower here, does that mean fewer risks overall?

The number of risks your team/individual staffers have identified over time. This KPI might increase, as your efficiency and third-party comprehension improves.

Although comparing your program to others may help identify areas for improvement, observing the risks from other departments or divisions in your unique organization can encourage more thoughtful and methodical action. Drill down into the above KPIs, across all business units, in order to visualize the greatest risks to your organization overall.

The work isn’t done once you’ve started your oversight and monitoring; the health of your third-party management program depends on regular review. If you want to stop potential threats in their tracks, the strength and dependability of your fortified program will eradicate issues before they become full-blown Foreign Corrupt Practices Act (FCPA) violations. For any regulator to test your report, stay consistent and fully document the steps you’ve taken. Whenever you conduct an audit of your compliance program, your meticulous metrics will help with any self-assessments down the road.

Want to see what a comprehensive third-party risk management tool looks like in action? The OneTrust team is ready to walk you through a free demo of our third-party risk software solution.

Streamline intake and compliance checks, centralize third-party profiles, automate risk assessments and flagging, monitor compliance and minimize risk with Third-Party Due Diligence from OneTrust’s unified platform for Trust Intelligence. Request a free Third-Party Due Diligence demo today.

You may also like


Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023

Learn more


Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more


Third-Party Risk

Live demo: Building your third-party risk management program with OneTrust

Explore how OneTrust can help you build an efficient third-party risk management program that streamlines manual processes and uncovers hidden risks.

September 28, 2023

Learn more