Third Party Risk Management (TPRM) is more than security assessments.

A successful TPRM program begins with determining why you need a third party and ends with safely off-boarding third parties. It ensures that the decision to outsource is supported by a business justification and aligns with the corporate strategy. It also requires enforceable contracts, defined service-level agreements (SLAs), and an exit plan to minimize business disruptions and risk. TPRM is much more than due diligence and ongoing security assessments.

Introduction

Many years ago, I was asked to build a Third-Party Risk Management program for a large financial institution—one where, frankly, very little existed. By today’s standards, nothing existed. The urgency behind the initiative stemmed from a serious breach at a vendor used by our parent company. A server containing customer data had been resold on eBay without being wiped.

You can read the original coverage here: BBC NEWS | UK | Bank customer data sold on eBay.

As you can imagine, protecting customer information quickly became the program’s central focus. But meeting U.S. regulatory expectations required much more than simply adding security questionnaires to the process. We had to design an end-to-end framework that worked seamlessly with Procurement so we could onboard vendors safely—and exit relationships just as safely.

Security assessments were critical, but they were only one component of the solution. The real work involved designing a lifecycle that included identifying the right vendors, properly evaluating them, negotiating strong contracts, continuously monitoring performance, and planning thoughtful, risk-aware exits. At its core, the program had to determine who had access to data and how that data would be protected throughout the relationship. There also needed to be oversight of the program to ensure that it was being executed in accordance with the new policy and procedures.
Business continuity planning and regulatory alignment were also essential parts of the foundation, but over time, something else became clear: the decisions made at the beginning and end of a vendor relationship are just as important as the controls applied in the middle. Selecting the wrong vendor—or exiting one without a plan—can create risks that even the strongest security assessment cannot fix.

There are plenty of examples across the industry of what happens when institutions focus solely on security reviews and overlook the broader vendor lifecycle. And as the regulatory environment continues to evolve, those early lessons remain just as relevant today.

Regulatory Guidance

Back in 2008, the primary guidance in place was not that different from what is in place today. There were primary publications that supported the backbone of the program and there were additional guidance documents that focused on areas such as business continuity or offshoring. Some of the more prominent ones are listed below.

Office of the Comptroller of the Currency (OCC) – OCC 2000-9 “Third Party Risk”

Federal Financial Institutions Examination Council (FFIEC) IT Exam Handbook – Risk Management of Outsourced Technology Services

FFIEC – “Appendix J: Strengthening the Resilience of Outsourced Technology Services”

OCC Bulletin OCC 2001-47 “Third Party Relationships: Risk Management Practices”

Federal Reserve Board (FRB) – Federal Reserve Supervisory Letter SR 05-3

OCC Bulletin 2013-29 “Third Party Relationships: Risk Management Guidance”

All the above were rescinded by the later versions and then ultimately replaced by guidance that was released by the OCC, Federal Reserve, and FDIC in 2023. It is singular guidance issued by all three agencies with different titles:

Third-Party Relationships: Interagency Guidance on Risk Management (OCC)

SR 23-4: Interagency Guidance on Third-Party Relationships: Risk Management (FRB)

Interagency Guidance on Third-Party Relationships: Risk Management (FDIC)

The updated guidance provided clarity on topics and consistency across the agency’s expectations of a TPRM program.

In 2024 a supplemental OCC guide for smaller banks was issued. The intent of the 2023 guidance was to be implemented on the size and scope of the financial institution, and this supplemental document helps smaller banks do that. They even provided examples. The 2024 guide can be found here: Third-Party Relationships: A Guide for Community Banks | OCC.

Vendor Lifecycle

The updated 2023 Interagency Guidance reinforces a framework that has been consistent for more than two decades: the five stages of the third-party risk management lifecycle. While these stages have been part of regulatory expectations since the early 2000s, the new guidance places far greater emphasis on applying a true risk-based approach throughout each phase of the lifecycle.

In other words, examiners now expect financial institutions not just to follow the steps, but to scale the depth, rigor, and frequency of oversight based on the risks posed by each vendor relationship.

Below is a brief overview of the five lifecycle stages—but institutions should rely on the full guidance when designing, assessing, or maturing their third-party risk management programs. The details matter, and a strong lifecycle approach is essential for demonstrating safe, sound, and compliant vendor oversight.

1. Planning
The institution determines whether a third-party relationship is necessary and appropriate.
This includes defining the business need, assessing internal capabilities, identifying inherent risks, evaluating regulatory impacts, and establishing requirements for the relationship.
2. Due Diligence
The institution evaluates whether the vendor is capable of performing the activity in a safe, sound, and compliant manner.
This includes reviewing financial condition, security controls, operational resilience, experience, performance history, compliance posture, and subcontractor reliance.
3. Contract Negotiation
The institution structures a contract that clearly defines the vendor’s responsibilities, performance expectations, service levels, reporting requirements, security obligations, audit rights, data protections, and termination conditions.
The goal is to allocate and mitigate risk through enforceable agreements.
4. Ongoing Monitoring
Throughout the relationship, the institution continuously assesses the vendor’s performance and risk posture.
This includes reviewing SLAs, cybersecurity reports, audits, financial condition, incident notifications, compliance status, and concentration risk—ensuring the vendor continues to meet expectations.
5. Termination

When the relationship ends, the institution executes an orderly exit to protect customers and ensure operational continuity.

This includes data return or destruction, removal of system access, transitioning services, managing residual risk, and validating that no obligations remain unmet.

Federal Register: Interagency Guidance on Third-Party Relationships: Risk Management

Summary

As regulatory expectations evolve, the importance of a complete, lifecycle-driven Third-Party Risk Management (TPRM) program has never been greater. Examiners are increasingly focused on whether financial institutions understand that TPRM extends far beyond conducting security assessments. A strong program addresses risk from start to finish—from strategy and planning through due diligence and contracting, all the way to ongoing monitoring and well-designed exit strategies.

For institutions building a new program or those uncertain whether their current approach fully reflects the lifecycle, now is the perfect time for a proactive assessment. Gaps in early-stage planning, contract structuring, or end-of-life oversight can create risks just as serious as inadequate security reviews.

And remember: TPRM is not one-size-fits-all. Your program should be tailored to the size, complexity, and risk profile of your institution. A thoughtful, holistic lifecycle framework not only reduces risk—it demonstrates to regulators that your organization understands and embraces sound, modern risk management practices.

Call to Action

Contact JPT Consulting here Contact for more information and how we can help you. Waiting until an audit or examiner finding forcing remediation is never ideal. Be proactive and assess and improve on your terms and timelines.