WorkProcedures
Compliance

Vendor Risk Management SOP: Third-Party Risk Assessment Procedure

May 15, 20269 min read

Introduction

The biggest security incidents of the past decade have been third-party incidents. SolarWinds, Kaseya, Target's HVAC vendor, Okta's support vendor — each demonstrates that an organization's risk surface now includes the vendors it depends on. Regulators have followed suit: NYDFS 500, OCC third-party risk guidance, DORA in the EU, and SOC 2 all require formal third-party risk management (TPRM).

A documented vendor risk management SOP is how organizations assess, monitor, and respond to the vendor risks that can take them offline, breach their data, or sink their compliance posture.

Why VRM Needs SOPs

Vendor risk is where the gap between policy and execution is widest. Companies have vendor policies; few follow them consistently. Questionnaires go unreviewed. Contract clauses go unenforced. Offboarding leaves access open.

An SOP-driven program fixes this by codifying decision criteria, response timelines, and approval authority — so VRM stops being a one-person bottleneck and becomes a scalable process.

Key Procedures Every VRM Program Needs

1. Vendor Classification and Risk Tiering

Not all vendors require the same scrutiny. SOP should define tiers — commonly Critical, High, Medium, Low — based on factors: data sensitivity handled, system criticality, volume of transactions, regulatory scope, geographic exposure. Tier drives required due diligence.

2. Onboarding Due Diligence

For each tier, define required documents and reviews:

  • Critical/High: SOC 2 Type II (current), ISO 27001 certificate, penetration test summary, SIG or CAIQ questionnaire, financial stability review, insurance certificates, business continuity plan review, references
  • Medium: Abbreviated security questionnaire, insurance, standard contract
  • Low: Standard contract, basic verification

SOP should define review authority, acceptance criteria, and escalation for findings.

3. Contract and Legal Controls

Standard contract clauses every vendor should sign: data processing addendum, security addendum (breach notification timeline, cooperation requirements, right to audit), indemnification, limitation of liability, termination rights, regulatory cooperation. SOP defines which clauses are non-negotiable vs. negotiable.

4. Ongoing Monitoring

Post-onboarding, vendors must be monitored at tier-appropriate cadence:

  • Critical vendors: Continuous (security rating platforms, dark web monitoring), quarterly business reviews, annual reassessment
  • High: Annual reassessment, quarterly financial check
  • Medium: Annual reassessment
  • Low: Triennial or upon material change

5. Incident and Breach Handling

SOP should cover vendor-reported incidents (acknowledgment timeline, facts gathering, customer notification decision, regulator notification coordination) and vendor-discovered-by-other-means incidents (news, security researcher, audit).

6. Performance and SLA Monitoring

Cover tracked SLAs, performance review cadence, credit and remedy process, and escalation for persistent underperformance.

7. Regulatory and Concentration Risk

Define how regulated relationships are tracked (NYDFS 500 Tier-1, OCC third-party critical services, DORA ICT third-party providers). SOP should also address concentration risk — how many critical processes depend on a single vendor.

8. Offboarding

Vendor offboarding is one of the most-neglected VRM activities. SOP covers: contract termination notice, data return or destruction certification, access revocation (all user accounts, API keys, VPN, integration credentials), archive of contracts and incidents, and knowledge transfer.

9. Exception Management

Document how exceptions to VRM policy are requested, reviewed, approved, and tracked — with automatic expiration and renewal criteria.

Step-by-Step: Building Your VRM SOP

  1. Inventory your vendors. Most organizations have 2–3x the vendors they think. Start with AP data.
  2. Tier them. Apply the tiering criteria consistently. Document the rationale.
  3. Draft tier-specific procedures. Critical/High deserve thorough procedures; Low can be lightweight.
  4. Standardize the questionnaire. SIG Lite, CAIQ, or a custom shortlist — choose one and use it universally.
  5. Integrate with contract management. VRM and legal/contract teams should share a system.
  6. Pilot ongoing monitoring. Security rating services, financial monitoring, news alerts — start with Critical vendors and expand.
  7. Report to the board. Vendor risk is board-level material in regulated industries.

Common Mistakes to Avoid

Only doing onboarding. Vendor risk changes over time. Without ongoing monitoring, onboarding diligence is stale within a year.

Ignoring contract enforcement. Breach notification clauses are useless if nobody follows up when a vendor misses the timeline.

Weak offboarding. Access retained after contract termination is a top breach vector.

One-size-fits-all due diligence. Applying Critical-tier scrutiny to a SaaS logo generator wastes everyone's time.

How AI Accelerates SOP Creation

WorkProcedures generates VRM SOPs aligned to SOC 2, NYDFS 500, OCC, DORA, and ISO 27001 — including tier criteria, onboarding questionnaires, contract clause libraries, and ongoing monitoring playbooks.

Conclusion

Vendor risk is enterprise risk. A documented, tiered, and operating VRM program is the only way modern organizations can responsibly depend on the vendors they need. Visit WorkProcedures to build your VRM SOP today.

Ready to Streamline Your SOPs?

Generate professional, industry-standard procedures in minutes with WorkProcedures.

Related Posts

Compliance
Nursing Home Infection Control SOP: CMS Compliance and Resident Safety Guide
CMS requires every nursing home to have a designated infection preventionist and a documented infection prevention program. Strong SOPs are the difference between compliance and citations.
May 11, 20269 min read
Compliance
Why Email Is the Single Biggest Threat to Your SOP Compliance Program
You sent the SOP to the team. You've got the email in your Sent folder. You're good, right? Walk through why email-based SOP distribution is a compliance time-bomb — and what to replace it with.
May 2, 20268 min read
Compliance
Data Breach Response SOP: Incident Playbook and Notification Procedure
When a data breach occurs, the first 72 hours determine regulatory exposure, customer trust, and legal outcomes. A documented response SOP is what turns panic into execution.
May 1, 20269 min read