Third-Party Risk Assessment: The Complete Guide for Risk and Compliance Teams

A third-party risk assessment is a structured evaluation of the risks that a vendor, supplier, contractor, or partner introduces to your organisation. It covers cybersecurity, financial stability, regulatory compliance, operational resilience, reputational exposure, and ESG practices. The assessment produces a documented risk tier and a decision on whether to onboard, apply enhanced monitoring, or decline the relationship.

Vendor due diligence is the verification and investigation component of a third-party risk assessment. It refers to the process of checking what a vendor says against independent sources. A complete third-party risk assessment incorporates due diligence findings alongside risk scoring, a documented decision, and an ongoing monitoring plan.

The process runs in seven steps: classify the vendor by risk tier, collect structured information through a vendor questionnaire, verify responses against independent sources (corporate registries, sanctions databases, OSINT), score inherent risk, assess controls and score residual risk, document the risk decision, and set an ongoing monitoring cadence. Each step must produce a retrievable record for regulatory and audit purposes.

The six categories are cybersecurity and data privacy risk, regulatory and compliance risk, financial stability risk, operational and business continuity risk, reputational risk, and ESG and ethical risk. A complete assessment addresses all six. Missing any category leaves gaps that regulators and auditors will identify.

High-risk vendors require reassessment at least annually, with continuous monitoring between formal reviews. Standard-risk vendors warrant annual or biennial assessment. OCC Bulletin 2023-17 and FFIEC guidance require documented periodic reassessment for all critical third parties. One-time onboarding assessments are not sufficient.

No. Regulators including the OCC and FCA are explicit that questionnaire-only assessments do not meet due diligence standards. Independent verification against external sources is required. This includes corporate registries, court records, sanctions and PEP databases, adverse media, and open-source intelligence. FCA FG 18/5 specifically recommends internet-based OSINT checks as best practice.

Inherent risk is the raw level of risk a vendor introduces before any of their controls are considered. It is based on data sensitivity, service criticality, and regulatory exposure. Residual risk is what remains after reviewing and verifying the vendor’s controls, certifications, and track record. Risk decisions are based on residual risk, not inherent risk.

The primary US frameworks are OCC Bulletin 2023-17 for national banks and federal savings associations, FFIEC guidance on outsourcing technology services, NIST SP 800-161 for supply chain risk management, and FDIC guidance for state non-member banks. Financial institutions must demonstrate documented assessments and ongoing oversight to satisfy examination requirements.

Fourth-party risk is the risk introduced by your vendor’s vendors: the subcontractors and suppliers your third parties rely on. If a critical subcontractor has a data breach or becomes insolvent, that risk passes through to your organisation even though you have no direct contract with them. A complete third-party risk assessment identifies key subcontractor dependencies and assesses their risk profile.

OSINT (open-source intelligence) is the process of gathering and analysing information from publicly available sources including news archives, court records, corporate filings, social media, and web content. It surfaces reputational risk, adverse media, and ownership discrepancies that structured database checks miss. Neotas searches 600Bn+ archived web pages and 40,000+ media sources in 40+ languages, covering content that standard due diligence databases do not index.

A third-party cyber risk assessment is a focused evaluation of the cybersecurity posture of vendors and suppliers. It covers access controls, vulnerability management, incident response capability, data protection practices, and certifications such as SOC 2 and ISO 27001. It forms one component of a broader third-party risk assessment but can be conducted as a standalone exercise for technology and data vendors where cyber risk is the primary concern.

Most vendor risk platforms rely on questionnaires and structured database screening. Neotas adds OSINT coverage across 600Bn+ archived web pages, 1.8Bn+ court records, and 40,000+ media sources in 40+ languages, plus a human analyst layer for high-risk cases. The platform produces FCA and OCC-aligned audit outputs and supports continuous monitoring across the full vendor portfolio, not only point-in-time assessments.

Timeline depends on vendor complexity and risk tier. A simplified assessment for a low-risk vendor using automated screening completes in hours. A standard assessment covering questionnaire review and database checks takes 3 to 5 business days. An enhanced due diligence assessment for a high-risk vendor, including OSINT investigation and human analyst review, takes 5 to 10 business days. Neotas platform clients complete standard assessments in under 3 business days on average.

The Neotas Vendor Due Diligence Questionnaire (VDDQ) is a free, structured questionnaire that covers all six third-party risk categories: corporate and ownership information, cybersecurity controls, data handling, business continuity, subcontractor dependencies, and ESG compliance. It is designed for risk and compliance teams to collect consistent, comparable vendor data at onboarding and periodic review. Download it free from this page.