When you are deciding to create a framework for your third-party risk program you need to take the following into consideration:
- How are you going to categorize your third-parties?
- How would you rank your third-parties?
- What is the criteria/requirement for each one of those categories?
Other areas to consider involve the people component of the workflow, such as business owners, legal, and procurement. Especially during the contracting phase, by including legal language that assessments and/or assurance programs must be provided. Also, include stipulations regarding renewals that reassessments are required.
And of course, there is technology, the enabler. Technology provides the automation and a structured way to capture specific data for business and executives to make key decisions on these relationships. Monitoring these data points will contribute to the success or failure of that third-party.