Vendor Risk Management: The Complete Process from Onboarding to Offboarding

Seventy-one percent of organizations experienced at least one third-party cyber incident with material impact last year. That’s not a vendor problem — it’s a program problem. Most organizations have a vendor procurement process. They don’t have a vendor risk management process.

The difference is this: procurement ends when the contract is signed. Risk management runs from the moment you consider a vendor to the day their last access credential is revoked. Everything in between — onboarding, ongoing monitoring, contract renegotiations, security incidents, and eventual termination — requires active ownership.

TL;DR

• The 2023 OCC/FDIC/Fed interagency guidance defines five lifecycle stages: planning, due diligence, contract negotiation, ongoing monitoring, and termination
• 61% of companies have experienced a data breach caused by a third party — and ex-vendors with unrevoked access are a persistent source of exposure
• Risk tiering is the foundation of a scalable TPRM program — you cannot run full due diligence on every vendor
• Offboarding is the most consistently neglected stage and the one most likely to create residual liability

Why Most Vendor Risk Programs Break Down

The failure mode is consistent across industries: vendor risk programs are built around procurement milestones, not risk events. A questionnaire goes out at onboarding. A SOC 2 report gets filed. Then the vendor operates for three years with no re-assessment unless something goes catastrophically wrong.

Regulators have noticed. Between June 2023 and June 2024, the OCC, Federal Reserve, and FDIC entered into more than 45 Cease and Desist orders with non-systemically important banks — 12 of which were consent orders — citing third-party risk management failures or fintech relationship oversight gaps.

One enforcement case that’s worth knowing: a major bank used a third-party vendor to offer identity protection products to its customers. When that vendor was found to have violated CFPB and FTC consumer protection requirements, the bank was held responsible. The result: $618 million in consumer restitution and $80 million in civil money penalties. The vendor’s conduct became the bank’s liability because the bank hadn’t adequately overseen the relationship.

The 2023 Interagency Guidance on Third-Party Relationships: Risk Management, issued jointly by the OCC, Federal Reserve, and FDIC on June 6, 2023, is the definitive statement of regulatory expectations. It replaces each agency’s prior guidance and establishes a common framework across all five lifecycle stages.

Stage 1: Planning — Before You Ever Talk to a Vendor

Planning happens before vendor selection. The questions to answer at this stage:

• What business function are you sourcing? What would it take to bring it back in-house or switch vendors?
• What data will the vendor access, process, or store? What’s the sensitivity classification?
• What regulatory requirements apply (GLBA Safeguards Rule, HIPAA, PCI DSS, DORA if you have EU operations)?
• What’s your risk appetite for this relationship — what performance and security standards are non-negotiable?
• Who owns this vendor relationship internally after contracting?

The planning stage produces a risk profile for the type of vendor before any specific vendor is evaluated. This feeds directly into how rigorous the due diligence process needs to be. Organizations that skip planning end up doing the same amount of diligence on a low-risk office supply vendor as on a core banking technology provider.

Stage 2: Due Diligence — What You’re Actually Evaluating

Due diligence is proportional to risk tier (more on tiering below), but here are the core assessment domains for any vendor with meaningful access or criticality:

The 2023 interagency guidance specifically calls out that banks should review the vendor’s track record with similar engagements and evaluate adequacy of disaster recovery and business continuity programs. If a vendor can’t produce a BCP with tested RTO/RPO figures, that’s a risk red flag — not just a documentation gap.

For vendors with access to AI systems or who provide AI-powered services, the due diligence process requires additional layers. See Third-Party AI Vendor Risk Assessment: Due Diligence Framework and Questionnaire for the AI-specific checklist.

Risk Tiering: The Foundation of a Scalable Program

You cannot run full enterprise due diligence on every vendor. A 500-person financial services firm might have 200 vendor relationships. Applying the same scrutiny to your paper supplier as to your cloud infrastructure provider is not risk management — it’s theater.

Risk tiering solves this. A workable three-tier model:

Tier 1 — Critical Criteria: supports mission-critical functions; handles significant volumes of sensitive customer data; would cause substantial operational disruption or customer harm if the relationship failed; regulatory examination access required; no easy substitute available.

Response: full due diligence questionnaire + SOC 2 Type 2 review + onsite or virtual assessment + annual comprehensive reassessment + continuous security monitoring + board-level reporting.

Tier 2 — Elevated Criteria: important but not mission-critical; some sensitive data access; substitutable within 30–90 days; meaningful but manageable disruption if the vendor fails.

Response: standard due diligence questionnaire + SOC 2 Type 2 review + annual assessment + event-triggered monitoring.

Tier 3 — Standard Criteria: low sensitivity; no customer data access; easily replaceable; minimal regulatory exposure.

Response: lightweight onboarding questionnaire + contract baseline requirements + reassessment at contract renewal.

The tiering decision should be documented and reviewed annually. Vendor risk profiles change — a SaaS tool that started as a low-risk productivity app may have grown into a system that houses sensitive HR data.

Stage 3: Contract Negotiation — Locking In Your Risk Controls

The contract is your primary enforcement mechanism. Most organizations treat contracts as legal formalities. TPRM practitioners treat them as the primary risk control document.

Non-negotiable provisions for Tier 1 and Tier 2 vendors:

Audit rights. The right to review the vendor’s security controls, request SOC 2 reports on demand, and conduct independent assessments. Without audit rights, “we’ll monitor the vendor” is an empty commitment.

Incident notification timelines. Your regulators have 36-hour or 72-hour clocks. Your vendors need to notify you in time to meet those obligations. Standard: vendor notifies you within 24 hours of discovering a suspected breach involving your data.

Subcontractor restrictions. Your fourth-party risk starts here. Define whether the vendor can subcontract the services they’re providing to you, and require them to apply equivalent security standards to any subcontractors.

Data handling requirements. What data can the vendor process? Where can it be stored (data residency)? What happens to data at contract termination — return, destruction, or certified deletion?

Regulatory examination access. For banks, this is non-negotiable: the OCC, FDIC, and Federal Reserve must be able to examine the vendor’s records related to your institution.

Right to terminate for cause. With defined remediation timelines and without penalty. If the vendor has a major breach or fails an audit, you need a clean exit path.

For institutions operating under EU regulations, DORA adds significant additional requirements for contracts with ICT third-party providers. See DORA Third-Party ICT Risk: Contracts, Concentration Risk, and the 19 Critical Providers You Now Answer To for the full breakdown.

Stage 4: Ongoing Monitoring — The Gap Most Programs Have

Ongoing monitoring is where TPRM programs fall apart. It’s not that organizations don’t intend to monitor — it’s that monitoring gets defined as “send an annual re-attestation questionnaire and file the response.”

That’s not monitoring. That’s paperwork.

Effective ongoing monitoring for Tier 1 vendors should include:

• Security rating monitoring: services like BitSight or SecurityScorecard provide continuous visibility into the vendor’s external security posture (open vulnerabilities, certificate issues, DNS hygiene). These catch problems between annual reviews.
• News and intelligence monitoring: regulatory actions, breaches, significant personnel changes, financial distress signals, ownership changes — these are all triggers for re-assessment.
• Performance against SLAs: uptime, incident response times, error rates. Chronic SLA misses are often early indicators of operational dysfunction.
• Annual comprehensive reassessment: re-run the due diligence questionnaire, request an updated SOC 2, review any changes to services or subcontractors.
• Event-triggered reviews: any material change at the vendor (ownership change, major breach, significant product change, financial distress) should trigger an immediate review.

The NCUA has reported that 70% of cyber incidents at credit unions were related to a third-party vendor. Most of those incidents don’t announce themselves — they’re found after the fact. The point of monitoring is to compress the gap between incident occurrence and your awareness of it.

For organizations whose vendors are increasingly AI-powered, see 72% of Banks Don’t Know Which Vendors Use AI. Here’s How to Fix Your TPRM Program. for a monitoring framework specific to AI vendor risk.

Stage 5: Termination and Offboarding — The Most Neglected Phase

Here’s a scenario that happens more than it should: a vendor relationship ends after three years. The contract lapses. The business unit stops using the service. But nobody tells IT. The vendor still has active API credentials. They still have access to an S3 bucket with historical customer data. Their login hasn’t been touched in eight months — but it still works.

This is how ex-vendor breaches happen. And they’re preventable.

A structured vendor offboarding process requires cross-functional coordination across IT, legal, procurement, and compliance:

Access revocation — the first and most time-sensitive step. All credentials, API keys, system access, VPN accounts, and service account permissions must be revoked immediately upon contract termination notice. Don’t wait for the termination date; begin access audit at contract notice.

Data return and destruction — the contract should specify what happens to your data. Get written confirmation (and ideally a certificate of deletion) that the vendor has purged your data from their systems. This includes backups and data held by the vendor’s subcontractors.

Asset recovery — any hardware, software licenses, or proprietary assets you provided to the vendor need to be returned or decommissioned.

Final audit — for Tier 1 vendors, a final security review confirming that access has been revoked and data has been returned or destroyed.

Documentation — maintain a record of the offboarding process: who revoked what access and when, confirmation of data destruction, any outstanding issues. Regulators examining a subsequent breach will ask for this.

A 2024 study by Mitratech found that 61% of companies had experienced a data breach caused by a third party. Residual vendor access is one of the most common vectors.

Regulatory Expectations: The 2023 Interagency Guidance

The FDIC FIL-29-2023 and companion releases from the OCC and Federal Reserve make clear that regulators now expect the same level of rigor for outsourced activities as for in-house operations. The key principles:

Risk-based scaling. More critical relationships require more oversight. But “standard” relationships still require a baseline process — you can’t have a tier that means “we do nothing.”

Board and senior management accountability. The guidance is explicit: senior management must understand the risks of third-party relationships, and the board must have visibility into those involving critical activities.

Documentation matters. Examiners will ask for evidence: risk assessments, due diligence files, monitoring results, contract terms. The inability to produce documentation is itself a finding.

Concentration risk. If multiple critical functions depend on the same vendor, that’s a risk that must be explicitly managed, monitored, and reported to the board. This mirrors requirements under DORA for EU entities.

So What?

Every vendor relationship starts with good intentions and ends with a data room full of half-completed questionnaires and a monitoring program that hasn’t run in two years. The organizations that don’t get burned have a few things in common: they tier their vendors ruthlessly, they treat onboarding and offboarding with equal rigor, and they treat the contract as a live document rather than an archival one.

Start with your Tier 1 vendors. If you can’t name them off the top of your head, that’s your first problem. If you don’t have current SOC 2 reports and completed due diligence on file for all of them, that’s your second.

The Third-Party Risk Management (TPRM) Kit includes due diligence questionnaires, a vendor tiering matrix, contract provision checklist, ongoing monitoring tracker, and an offboarding checklist — pre-built for the 2023 interagency guidance requirements.

Sources: OCC Interagency Guidance on Third-Party Risk Management (2023) · FDIC FIL-29-2023 · Ncontracts: Poor Vendor Risk Management Costs Bank $4.75 Million · UpGuard TPRM Framework (2026) · Mitratech Vendor Offboarding Checklist