Skip to content
Back to all posts
Do More With Less: Streamlining Your Vendor Risk Program
Third-Party Risk Management

Do More With Less: Streamlining Your Vendor Risk Program

William C Hord
William C HordChief Strategy Officer - ERM Pilot

Third-party risk management at most financial institutions is under-resourced relative to its scope. Regulatory expectations have expanded substantially — the 2023 Joint Interagency Guidance alone added significant new requirements around due diligence depth, subcontractor oversight, and continuous monitoring. At the same time, the vendor portfolios that TPRM teams are expected to manage have grown considerably as institutions have expanded their use of cloud services, fintech partnerships, and specialized technology providers.

The result is a structural tension that examiners are aware of: the volume of regulatory expectation has outpaced the staffing capacity of most TPRM programs.

What Regulators Expect — and Where the Gap Sits

The 2023 Joint OCC/FDIC/Federal Reserve Guidance on Third-Party Relationships is explicit that institutions must manage vendor risk across the full lifecycle: planning, due diligence, contract negotiation, ongoing monitoring, and termination. Each stage has associated documentation requirements, governance expectations, and examiner checkpoints.

For institutions managing hundreds of vendor relationships across those stages simultaneously, the math of manual TPRM quickly becomes untenable. The OCC's FY2025 Operating Plan notes that examiners will evaluate whether TPRM programs are genuinely enterprise-wide — meaning they cover all business lines and all vendor categories, not just the obvious critical vendors.

This creates a prioritization imperative: institutions must have a defensible, documented risk-tiering methodology that determines where full lifecycle rigor applies and where streamlined review is appropriate. Regulators understand that not every vendor warrants the same depth of due diligence. What they do require is that tiering decisions are documented, consistent, and risk-based — not based on convenience.

Risk Tiering as the Foundation

A defensible risk tiering framework typically anchors on three dimensions: criticality to operations, data access, and substitutability. A vendor with access to member financial data, embedded in core transaction processing, with no ready substitute scores differently than a vendor providing janitorial services to a branch location.

The FFIEC IT Examination Handbook provides a baseline framework for evaluating vendor criticality, with particular attention to vendors supporting "critical activities" — those whose failure would materially affect the institution's ability to serve members or customers, maintain compliance, or protect sensitive data.

A well-designed tiering system dramatically reduces the TPRM team's workload without reducing the program's quality. Tier 1 critical vendors receive full annual due diligence, SOC report review, BCP assessment, and onsite evaluation where warranted. Tier 2 vendors receive periodic risk questionnaires and documentation review. Tier 3 vendors receive streamlined onboarding and basic periodic confirmation of unchanged status.

Continuous Monitoring Without Continuous Manual Work

The 2023 Joint Guidance introduced language around "ongoing monitoring" that shifted expectations beyond the annual assessment cycle. Institutions are expected to maintain awareness of material changes in vendor circumstances — financial stability, regulatory actions, security incidents, ownership changes — on a continuous basis, not just at renewal.

The NCUA's 2026 Supervisory Priorities Letter reinforces this in the context of payment system vendors, noting that institutions must actively monitor vendors involved in payment processing for emerging operational and security risk exposures.

Continuous monitoring does not have to mean continuous manual work. Automated news monitoring, regulatory action feeds, and financial health indicators can surface vendor risk signals without requiring a TPRM analyst to actively research each vendor each month. The governance requirement is to have a system — whether technology-assisted or process-based — that ensures material changes in vendor circumstances are identified and escalated in a timely way.

Board Reporting as a Governance Lever

The OCC, FDIC, and Federal Reserve's Joint Guidance is clear that TPRM governance requires board-level visibility. Senior management should receive regular reports on vendor risk status, material findings, and program-wide metrics. Boards should understand the institution's most critical vendor exposures and have access to escalation information when material vendor events occur.

Institutions often underestimate the value of board-level TPRM visibility as an operational lever — not just a governance requirement. When senior leadership understands the scale and significance of vendor risk, TPRM programs tend to receive the resources, attention, and cross-functional cooperation they need to function effectively.

Building a TPRM dashboard that surfaces key metrics to the board — number of critical vendors, outstanding due diligence items, recent material vendor events, concentration exposures — is a practical investment that simultaneously satisfies regulatory expectation and strengthens the program's internal standing.

Article References — Do More With Less: Streamlining Your Vendor Risk Program

1. Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve System. Interagency Guidance on Third-Party Relationships: Risk Management. OCC Bulletin 2023-17; FDIC FIL-29-2023; Federal Reserve SR 23-4. June 6, 2023. Available at:https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-17.html

2. Board of Governors of the Federal Reserve System. Third-Party Risk Management: A Guide for Community Banks. Washington, D.C.: Federal Reserve, May 2024. Available at:https://www.federalreserve.gov/publications/2024-may-third-party-risk-management.htm

3. Office of the Comptroller of the Currency. Fiscal Year 2025 Bank Supervision Operating Plan. Washington, D.C.: OCC, October 2024. Available at:https://www.occ.gov/news-issuances/news-releases/2024/nr-occ-2024-111a.pdf

4. Federal Financial Institutions Examination Council. Business Continuity Management. IT Examination Handbook. Washington, D.C.: FFIEC, November 2019. Available at:https://ithandbook.ffiec.gov/it-booklets/business-continuity-management

5. National Credit Union Administration. NCUA's 2026 Supervisory Priorities. Letter to Credit Unions, January 14, 2026. Available at:https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/ncuas-2026-supervisory-priorities

Ready to transform your risk management?

Discover how ERM Pilot can streamline your compliance, automate workflows, and provide real-time insights for your organization.

Request a DemoGet Started

Stay Updated on ERM Pilot

Join our newsletter to receive the latest news, feature updates, and expert insights on all things risk related.

We respect your privacy. Unsubscribe at any time.