That distinction matters because vendor governance failure isn't just an IT problem — it's a board-level exposure. When a vendor breach triggers a regulatory inquiry, the question regulators and plaintiffs ask isn't whether your security team had a questionnaire process. They ask whether the board exercised reasonable oversight. That's a different question entirely, and most organizations aren't prepared to answer it.
This article covers the five phases of third-party risk management (TPRM), the four risk categories boards must understand, how to build a vendor governance framework that produces defensible decisions, and the common governance failures that leave organizations exposed even when a program exists on paper.
TL;DR
- Regulators hold the board accountable for vendor risk — regardless of who runs the program day-to-day
- Effective TPRM runs across five phases: tiering, due diligence, contracting, monitoring, and offboarding
- Third-party breaches rose 68% year over year — and averaged 277 days to contain in financial services
- Common failures: policies that exist on paper but can't be verified in practice, and concentration risk that surfaces only after an incident
- Define escalation thresholds before an incident — not in response to one
Why Vendor Risk Management Is a Board-Level Responsibility
Vendors routinely hold access to sensitive data, critical infrastructure, and core operational systems. When a vendor fails — whether through a breach, outage, or compliance violation — that failure is often indistinguishable from an organizational failure in the eyes of regulators, customers, and the press. The board cannot outsource that accountability, even when it delegates execution to management.
Regulatory expectations now make this explicit. The 2023 Interagency Guidance from the OCC, FDIC, and Federal Reserve states directly that a banking organization's use of third parties does not diminish its responsibility to operate safely and comply with applicable laws — and that the board holds ultimate responsibility for oversight. The SEC's 2023 cybersecurity disclosure rules require public companies to disclose not just incidents, but their processes for managing material cybersecurity risks and the board's role in that oversight.
The Fiduciary Dimension
When a vendor incident results in a regulatory fine, breach notification, or operational disruption, what separates defensible governance from negligence exposure is the board's ability to demonstrate it exercised reasonable oversight — and that oversight has to be documented before an incident, not assembled in response to one.
Most organizations have a decision rights gap: management runs the TPRM program day-to-day, but without clear escalation criteria and board-facing reporting, the board is effectively blind. Directors find out about vendor failures at the same time the press does. That is a governance design failure, not a management one.
In organizations with strong vendor governance, the board owns the risk appetite, escalation criteria, and oversight posture. Management owns vendor selection, contract execution, and daily monitoring. The separation is deliberate — and it has to be documented before an incident, not drafted during one.
The 5 Phases of Third-Party Risk Management
Phase 1 — Risk Identification and Tiering
TPRM starts before a contract is signed. Every vendor relationship carries some level of inherent risk — but not the same level. Organizations must assess each vendor across three dimensions: data sensitivity, operational dependency, and regulatory exposure. From that assessment, each vendor receives a risk tier (high, medium, or low) that governs how much due diligence is required, how frequently they're monitored, and what events trigger escalation.
Per the 2023 Interagency Guidance, risk management should be commensurate with the relationship's risk and complexity. NIST CSF 2.0's Govern function reinforces the same point: identify and prioritize suppliers based on criticality to business and mission objectives, not treat all vendors identically. That tiering output directly shapes what due diligence looks like in the next phase.
Phase 2 — Due Diligence and Vendor Selection
Rigorous pre-contract due diligence covers more than security certifications. Per the Interagency Guidance, it should include:
- Financial stability and business continuity capabilities
- Legal and regulatory compliance history
- Information security controls and incident reporting practices
- Subcontractor reliance and fourth-party exposure (your vendors' vendors)
- Insurance coverage
Vendor selection criteria must align with organizational risk appetite. A vendor that wins on cost but fails on security posture is a governance decision — one that belongs on the board's radar, not just in procurement.
Phase 3 — Contracting and Risk Mitigation Setup
A vendor contract without governance provisions is an unmanaged liability. Contracts with high-risk vendors should include:
- Data protection obligations and breach notification timelines
- Audit rights (and the organizational intent to use them)
- Defined RTO/RPO commitments
- Access controls and subcontractor obligations
- Liability allocation and indemnification terms
The FFIEC has required audit rights, measurable SLAs, and documented recovery expectations in outsourcing contracts since 2015. If those provisions are absent from current contracts, closing those gaps is a board-level remediation priority — not a task to defer to the next renewal cycle.
Phase 4 — Continuous Monitoring and Performance Management
Risk is not static. A vendor that passed due diligence two years ago may have changed ownership, experienced a breach, or degraded its security posture. Ongoing monitoring must track:
- SLA compliance and incident response times
- Patching cadence and vulnerability remediation
- Changes in ownership, financial condition, or operating environment
- Audit results and compliance status
Monitoring intensity should be proportional to risk tier. High-risk vendors warrant quarterly performance reviews and continuous signals; lower-tier vendors can be reviewed annually or at renewal.
Applying uniform monitoring across all vendors wastes resources and dilutes attention where it matters most — on the relationships with the highest potential impact.
Phase 5 — Offboarding and Relationship Closure
The end of a vendor relationship is a governance moment. Access must be revoked, data retrieved or destroyed, and the lessons from the relationship documented. The SEC's 2022 action against Morgan Stanley Smith Barney illustrates what poor offboarding costs: a $35 million civil penalty tied to vendor-led data center decommissioning failures that left customer PII on untracked assets and resulted in notifications to approximately 15 million customers.
Offboarding governance must assign named owners: who verifies data destruction, who confirms access is fully revoked, and what documentation is retained to demonstrate both. Without that accountability, the liability doesn't end when the contract does.
The 4 Core Third-Party Risk Categories Boards Must Understand
Cybersecurity and Data Risk
Vendors with access to internal systems are a primary attack vector. The SolarWinds SUNBURST supply chain attack, where malicious code reached more than 18,000 customers including government agencies, is the clearest illustration of how a vendor's weak security posture becomes the organization's breach.
The numbers reinforce the trend: third-party and supply chain breaches accounted for 15% of all breaches in 2024 — a 68% increase year over year. In financial services, breaches originating from a third party took an average of 277 days to identify and contain.
Boards need to know which vendors have what access — not just that a program exists.
Compliance and Regulatory Risk
A vendor's failure to meet regulatory obligations doesn't stay with the vendor. The contracting organization inherits the exposure. The FTC's action against Ascension Data & Analytics is instructive: the FTC alleged GLBA Safeguards Rule violations because Ascension failed to ensure a vendor adequately protected mortgage documents. The liability ran to the contracting entity, not the vendor alone.
Board-level questions to ask:
- Does the TPRM program include compliance-specific due diligence for each regulated data type the vendor touches?
- Are HIPAA, GDPR, PCI DSS, and CCPA requirements mapped to vendor contractual obligations?
Operational and Concentration Risk
A 2023 Gartner survey found that 45% of organizations experienced third-party-related business interruptions in the prior two years. Concentration risk — over-reliance on a single vendor for critical services — is a primary driver.
The Change Healthcare incident in 2024 demonstrates the scale of what concentration failure looks like in practice. UnitedHealth Group reported $2.2 billion in direct response costs, more than $9 billion in interest-free loans to affected care providers, and impacts to approximately 190 million individuals — all from a single vendor incident.
Boards should be able to answer two questions about every critical vendor:
- Which vendors are truly on the critical path — and what does "critical" mean in practice for this organization?
- What does the continuity plan look like if that vendor fails or is unavailable for 72 hours?
Reputational, Financial, and Strategic Risk
Not every vendor failure is technical. A vendor's financial instability, ethical violations, or strategic misalignment can disrupt service delivery, damage brand reputation, or leave critical systems unsupported mid-contract. Standard security questionnaires don't surface these risks — so they rarely get assessed.
The signals worth monitoring include vendor revenue concentration (are you their largest client?), ownership changes, public enforcement actions, and whether key personnel who supported the engagement are still in place. Boards should ask whether TPRM includes financial stability monitoring alongside security ratings — and how often that picture is refreshed.
Building a Vendor Governance Framework Boards Can Actually Inspect
Clarifying Decision Rights Across the Organization
Clear decision rights in vendor governance means knowing — in writing, before an incident — who owns what:
Board/Risk Committee owns:
- Risk appetite for critical vendors
- Approval of high-risk exceptions
- Escalation criteria and thresholds
- Decision to exit a vendor
Management owns:
- Vendor selection and contract execution
- Day-to-day monitoring and performance management
- Incident response within defined thresholds
- Surfacing escalation triggers to the board
The board doesn't need to approve daily actions. It should govern the rules of the road. Without that separation documented explicitly, every vendor incident becomes a scramble over who was supposed to do what.
Tyson Martin works with boards and executive teams to define these decision rights before an incident forces the issue — through board advisory engagements that establish the framework within the first 30 days.
Setting Escalation Thresholds That Hold in Real Incidents
Escalation thresholds must be pre-defined and tested. A threshold defined after an incident is governance theater.
Boards should know in advance which vendor events require immediate notification versus which stay at the management level. Effective escalation criteria are structured around five parameters:
- Vendor risk tier — higher-tier vendors have lower escalation thresholds
- Incident type — data breach, regulatory action, insolvency, or critical service outage
- Data types involved — regulated data triggers faster escalation
- Regulatory notification obligations — SEC, HHS, or state breach laws may require board awareness before public disclosure
- Business impact — hours of downtime, revenue system disruption, or safety risk
A one-page escalation ladder answering "when does this move from management to executives to the board?" gives the board what it needs to respond credibly under pressure. It specifies who notifies whom, expected response time, and what information must be included.
Structuring Vendor Risk Reporting That Boards Can Use
That escalation structure feeds directly into what the board sees on a recurring basis. Effective vendor risk reporting fits in one to two pages or two to four slides — consistent quarter to quarter so the board can spot drift rather than decipher a new format each time.
The structure should cover three areas:
| Component | What It Shows |
|---|---|
| Coverage and exposure | Total critical vendors in scope, out-of-tolerance count vs. prior quarter, top 5 vendors by business impact |
| Change | New critical vendors added, vendors that improved or degraded, open actions with owners and due dates |
| Decisions requested | 1-3 items requiring board action, with options, cost ranges, and a recommended path |
The goal is to keep top-tier visibility to 10–30 vendors so reporting stays sharp rather than becoming a catalog. When reporting requires the board to decode technical findings, it has stopped being governance reporting and started being operational work handed to the wrong audience.
The Most Common Third-Party Governance Failures
Governance Without Inspection
Organizations that have TPRM policies on paper but cannot demonstrate execution are increasingly exposed. They have a vendor questionnaire with no evidence it was reviewed, and a monitoring requirement with no KPIs tracked. Regulators and auditors distinguish between documented programs and inspectable ones. So do plaintiffs.
The Concentration Risk Blind Spot
Boards and management often don't know how many critical business processes depend on a single vendor until that vendor has an outage. Maintaining a vendor list is not the same as mapping vendor relationships to business processes. Effective governance ties vendors to the services they support — so the board understands what stops if a vendor fails, not just that the vendor exists.
Treating M&A Transitions as Exceptions
Organizations undergoing leadership change, acquisition, or vendor consolidation frequently let governance gaps widen. The same three problems appear repeatedly:
- Vendor access isn't revoked after the deal closes
- Contracts aren't renegotiated to reflect the new entity's risk posture
- Third-party risk assessments aren't refreshed for inherited vendors
UnitedHealth's 2024 10-K explicitly notes that recently acquired or not-yet-integrated businesses carry heightened vulnerabilities compared with established operations, citing Change Healthcare as the example. M&A transitions should trigger a TPRM review automatically. Tyson Martin's M&A cyber due diligence work includes third-party and vendor risk review as a core component precisely because these gaps are predictable and preventable.
Frequently Asked Questions
What are the 5 phases of third-party risk management?
The five phases are: risk identification and tiering, due diligence and vendor selection, contracting and risk mitigation setup, continuous monitoring and performance management, and offboarding and relationship closure. Each phase requires defined ownership, documented evidence, and governance proportional to vendor risk tier.
What are the 4 core third-party risks?
The four core categories are cybersecurity and data risk, compliance and regulatory risk, operational and concentration risk, and reputational/financial/strategic risk. All four require board-level visibility. Each can produce material regulatory or financial consequences that boards — not just management — are held accountable for.
What are the core components of an ERM framework?
COSO's ERM framework organizes around five components: Governance and Culture; Strategy and Objective-Setting; Performance; Review and Revision; and Information, Communication, and Reporting. Third-party vendor governance fits within Governance and Culture and is reinforced across Performance and Review. NIST CSF 2.0 similarly places supply chain risk management inside its Govern function.
Who is responsible for third-party vendor risk management?
The board owns risk appetite, escalation criteria, and oversight posture. Management owns program execution, vendor monitoring, and contract enforcement. The critical distinction: accountability cannot be fully delegated even when execution is. Regulators hold the board responsible regardless of how execution is organized.
What should boards ask about third-party vendor risk?
Boards should demand answers to four questions: Which vendors are tier-1 critical, and what stops if one fails? What triggers escalation to the board? Can management produce monitoring evidence — not just confirm a program exists? What's the recovery plan if the most critical vendor goes dark in 24 hours?
How often should vendor risks be reviewed by leadership?
High-risk vendors warrant quarterly review and continuous monitoring signals. Medium-risk vendors should be reviewed annually or at contract renewal. Boards should receive a vendor risk summary at least quarterly as part of overall cyber and operational risk reporting, with immediate escalation for defined triggers such as a breach, regulatory action, or critical service outage.
