Building a Third-Party Risk Management Program

What Regulators Expect: The 2023 Interagency Guidance

The anchor publication is the Interagency Guidance on Third-Party Relationships: Risk Management, issued in June 2023 by the Federal Reserve, FDIC, and OCC. Three principles from the guidance shape everything that follows:

Risk-based proportionality
The agencies do not expect identical oversight for every vendor. Oversight should be commensurate with the risk and criticality of each relationship.

Life cycle coverage
The guidance organizes risk management around five stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.

Board and management accountability
The board is responsible for oversight of third-party risk while management is responsible for running the program.

For community institutions, the agencies followed up with the 2024 third-party risk management guide for community banks, acknowledging that smaller institutions need proportionate paths to the same outcomes.

Step 1: Inventory Your Third Parties and Tier Them by Risk

The first build step is a complete inventory: every vendor, partner, and service arrangement, including the ones that bypassed procurement. With the inventory built, run a third-party risk assessment on each relationship to assign a tier.

Two concepts drive the tiering:

• Inherent risk is the risk the relationship carries before any controls: what data does the vendor touch, does it face your customers, could its failure interrupt critical operations?
• Residual risk is what remains after controls are applied

Tier on inherent risk, because tiering decides how much scrutiny the relationship gets; let residual risk inform ongoing decisions.

Step 2: Conduct Risk-Based Due Diligence

The due diligence scope follows the tier. For critical third parties, the guidance points to a broad review:

• Financial condition
• Information security practices
• Business continuity and resilience
• Compliance management
• Subcontractor reliance
• Operational capacity

For low-tier vendors, a streamlined checklist is defensible, and documenting why the lighter scope is appropriate is part of the discipline.

Step 3: Write the Policy and Contract Standards

A workable policy defines:

• Scope (what counts as a third-party relationship)
• Tiering methodology
• Due diligence requirements by tier
• Contract standards
• Monitoring cadence
• Escalation paths
• Roles

Keep it short enough that business lines follow it and put the procedural detail in standards documents underneath it. The program should document where standard provisions were unattainable and what compensating monitoring fills the gap.

Step 4: Monitor Continuously and Manage Issues

Ongoing monitoring is where most programs are weakest, and where examiners increasingly focus. Recent third-party risk management statistics underline this. Quarterly or continuous review fits critical vendors while annual review fits low tiers.

The table below summarizes the five lifecycle stages of a third-party risk management program and who typically owns each.

Tie monitoring outputs to an issue management process with:

• Severity ratings
• Owners
• Deadlines
• Escalation

Step 5: Govern, Measure, and Mature the Program

Governance means a defined structure, typically:

• A vendor risk function in the second line
• Business-line relationship owners in the first line
• Audit testing the program in the third line

Board reporting should cover the:

• Critical vendor population
• Concentration risks
• Material issues
• Program health metrics

Technology helps at every stage. Platforms such as Predict360 provide a centralized third-party data repository, configurable onboarding and due diligence checklists, vendor risk categorization, and embedded reporting within the same system that holds the institution’s broader risk and compliance records.

Frequently Asked Questions