What A Third Party Risk Assessment Should Cover

Whenever a financial institution enters a relationship with a vendor, they should have an independent firm conduct a third-party risk assessment. It is important, though, to know what should accompany reports when it comes to third-party vendor risk management for financial institutions. You will want the assessments to regularly address these four possible issues.


Given the digital nature of most vendor products in the financial sector, cybersecurity is a top risk. You will want the 3rd party vendor risk management report to address what measures are in place and how the company deals with breaches. Does the vendor have a timeline for notifying customers about issues? How does the vendor monitor threats and respond to them? What does the recovery process look like after an incident?

Business Continuity

Vendor risk management for financial institutions should also cover concerns regarding business continuity. You want to know the vendor is running a stable and growing operation to avoid the possibility they'll suddenly go out of business. Likewise, the firm should have continuity plans in place in case key figures are unavailable or incapacitated.

You may also want to look at the likelihood of the vendor becoming an acquisition target. This isn't necessarily a bad thing, but the acquisition process may change who you're dealing with and how they'll likely handle their obligations.

Regulations, Compliance, and Industry Standards

Particularly in the world of finance, there are tons of compliance issues. Privacy regulations, for example, often cross multiple state and national jurisdictions, and failure to comply constitutes a business risk. Similarly, there are often industry standards, especially when it comes to payment card processing. The assessment should itemize and grade the potential vendor and customer risks on these fronts.

Contractual Risks

The contract itself can be a source of risks, especially if there isn't sufficient legalese converting specific concerns into actionable clauses. You will want to have a contract that specifies what your companies needs are, how the vendor will serve them, and what the expectations are in terms of responses when there are differences. Likewise, you'll want a contract with clear dispute-resolution mechanisms. Also, you may want to address key performance indications so the contract follows clear metrics.

Notably, you should use the 3rd party risk management data to inform your legal decisions. When you speak with an attorney, ask them to incorporate the expressed concerns into the contract. Never assume the vendor's boilerplate contract addresses your risk profile.