Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring creativity and discipline to finding solutions for even the most complex challenges his clients face.Regulatory expectations around third-party and vendor management are no longer limited to heavily regulated industries like financial services and healthcare. Today, organizations across nearly every sector are being held accountable for how they manage third-party relationships, especially in the areas of cybersecurity, data privacy, and operational risk.
Regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and a growing number of state-level cybersecurity and data privacy laws are expanding the compliance landscape across nearly every industry. Even sector-specific rules—like the FTC Safeguards Rule or the NYDFS Cybersecurity Regulation—are influencing broader expectations around third-party risk management.
Meeting these expectations can feel overwhelming—not just getting the right policies and practices in place, but also keeping them current and actionable over time.
The good news? With the right approach, your third-party management policies can be both compliant and practical.
In this blog, I’ll share some of the lessons I’ve learned from helping organizations of all shapes and sizes design third-party management policies that check the regulatory boxes and actually work in the real world.
Start By Understanding Your Regulatory Landscape and Its Flexibility
A common misconception is that all regulations are prescriptive. In reality, most third-party management regulations are principle-based. They outline what’s expected—like assessing risk, monitoring performance, or protecting sensitive data—but they leave the how-to up to you.
This flexibility is intentional. Regulators recognize that organizations of different sizes and infrastructures face very different operating realities. Your resources, risk exposure, and internal processes should all shape how you apply the guidance.
Even when regulations include prescriptive requirements, those specifics can usually be embedded within a broader, adaptable framework. The trick is to lead with the principle and tailor the design.
Take risk assessments, for example.
A large organization might use a third-party tool like the SIG Core questionnaire—which includes over 600 questions covering everything from data handling to business continuity. That level of rigor makes sense for a global company with a full-time third-party risk team.
But for a smaller company, that approach would be overkill. Instead, they might develop a shorter, focused questionnaire that zeroes in on the risks most relevant to their business and regulatory obligations.
Both approaches satisfy regulatory requirements but are scaled to their risk exposure, appetite and capabilities.
Designing Right-Sized Policies That Work
Understanding the regulatory landscape is just the first step. The next—and most important—is translating that understanding into policies that are right-sized for your organization. That means designing policies that are grounded in regulatory principles but also aligned with how your organization actually operates.
Trying to adopt a one-size-fits-all policy—especially one you find on the internet or develop through an AI tool—will almost always lead to misalignment. They don’t align to your organization’s priorities and operational practices, and create challenges and complexities that you don’t need. That’s where rightsizing comes in.
Effective policy design starts by understanding your organizational context. Ask yourself questions like:
- What are our strategic priorities? Are we focused on minimizing operational disruption? Controlling costs? Meeting specific regulatory requirements? Understanding what matters most to your organization will shape how your policies are built and enforced.
- What’s our third-party risk profile? What types of third parties do we work with—and which are most critical to our operations? Are they handling sensitive data, customer interactions, or key business functions? Narrowing in on managing your most critical relationships is an important aspect of policy design.
- What’s our risk appetite? How much risk are we willing to tolerate across different categories (e.g., data security, business continuity, reputational harm)? Your policies should reflect the thresholds your leadership is comfortable with.
- What’s our operating model? Are we centralized or decentralized in how we manage third-party relationships? Who owns what across the lifecycle? Your policies need to clearly define roles and responsibilities, so everyone understands where their accountability begins and ends.
- What infrastructure do we have? Consider your technology systems, data tracking, and reporting capabilities. If you don’t have automation tools in place, don’t design policies that assume you do.
- What’s our internal capacity? Who’s actually doing the work—and how much time and expertise do they have? Your policy should match the bandwidth of the people tasked with implementation.
With these answers in hand, you can start designing policies around what matters most to your organization—policies that are practical and achievable while still meeting compliance standards.
5 Tips for Writing Third-Party Management Policies
When it’s time to actually write (or re-write) your policies, here are some key strategies to keep in mind:
- Follow a lifecycle-based framework. Ensure policies incorporate the entire lifecycle of working with a third party—from planning and due diligence through contracting, onboarding, ongoing monitoring, and offboarding. This makes policies easier to navigate and helps ensure you’re covering all the critical phases of third-party engagement.
- Structure around risk. Take a risk-based approach. Your critical and high risk third parties require more detailed due diligence, monitoring and management, while lower-risk ones can follow more streamlined procedures.
- Build in flexibility. Focus your policy language on principles—what needs to be done—while saving the specific how-to details for your procedures. This approach keeps your policies stable over time and allows procedures to adapt as tools, staffing, or practices evolve.
- Write for employees. Use clear, action-oriented language. Avoid jargon and legalese. Your policies should be written for the people who are actually carrying them out—not just for auditors or legal reviewers.
- Align policies with practice. Your written policies should reflect what actually happens in the organization. Regulators read policies, but they audit procedures. If there’s a disconnect, either your practices need to change—or your policies do.
Maintaining Policy Compliance for Long-Term Success
Strong third-party management policies are only effective if they’re consistently followed. Many organizations fall short not in writing policies, but in establishing the necessary governance, oversight, and continuous improvement to drive results and maintain compliance over time.
Here are some key elements to focus on:
- Establish clear ownership. Every policy should have a designated owner responsible for oversight, periodic review, and driving necessary updates. Ownership creates accountability and ensures policies don’t become outdated or forgotten.
- Implement oversight mechanisms. Governance committees should regularly review policy performance, assess issues, and ensure alignment with broader risk and compliance strategies. Reporting and dashboards can help maintain visibility and drive informed decision-making.
- Centralize support materials: A resource center is a great tool for helping employees follow policies on a day-to-day basis. How-to guides, job aids, FAQs, and other resources help to reduce confusion and promote consistent application.
- Track compliance and exceptions. Records of compliance reviews, exceptions granted, and any corrective actions taken should be documented and centrally maintained. This not only supports internal management but also demonstrates control to external auditors and regulators.
- Define a review and update schedule. Policies should be reviewed at least annually, or more frequently if there are regulatory changes or internal process updates. Make this schedule part of your governance calendar and stick to it.
Final Thoughts: Practical Policies That Drive Real Compliance
Strong third-party management policies are a cornerstone of regulatory compliance—but only if they’re designed and maintained with intention. The most effective policies aren’t the longest or the most complex. They’re the ones that reflect your organization’s priorities, scale to your capabilities, and hold up under scrutiny because they’re actually being followed.
Whether you’re building new policies or refining existing ones, the key is balance: aligning with regulatory expectations while grounding everything in how your organization actually operates.
With thoughtful design, strong governance, and a commitment to continuous improvement, your policies can become more than just a compliance requirement—they can be a practical tool for managing risk and driving consistency across your third-party relationships.
