Three Tips for a Strong Third-Party Risk Management Strategy
By Bill Fortwangler, Adjunct Faculty, Heinz College of Information Systems and Public Policy
If you want your third-party risk management program to work, you need more than policies and checklists. You need to manage the relationship from the ground up. After decades of working with vendors in complex IT environments, I’ve learned that the foundation comes down to three things: contracts, statements of work, and performance discipline.
1. Get the contracts Right
The master services agreement sets the tone. Make sure termination clauses, licensing models, and Consumer Price Index adjustments are clearly defined. If they’re vague, you’ll pay for it later. I’ve seen companies hit with 30–40% price increases at renewal simply because they didn’t lock in licensing terms up front.
2. Nail the Statement of Work
The statement of work is where most organizations stumble. Don’t leave deliverables open-ended. Define what will be delivered, when it will be delivered, and how quality will be measured. Tie payments directly to those milestones. Think of it like building a house–you don’t pay the builder just because time passed; you pay when the foundation is poured and the framing is complete.
3. Monitor and Hold Vendors Accountable
Your job doesn’t end when the ink dries on the contract. Monitor vendor performance and measure it against the standards you set. Make sure quality metrics are in place, and don’t pay for work that falls short. Vendors are partners, but they’re also accountable for results.
Final Thought
Third-party risk management isn’t about paperwork. It’s about building strong, enforceable agreements and holding vendors accountable. If you get contracts, statements of work, and performance discipline right, you’ve already solved most of the risk equation.
Bill Fortwangler is Executive Vice President and Chief Information Officer at Dollar Bank and an adjunct professor in Carnegie Mellon University’s Chief Information and Digital Officer (CIDO) Certificate Program. With more than 30 years of IT leadership experience across financial services, manufacturing, and education, he is known for transforming legacy organizations into proactive, value-driven business partners. Recognized as CIO of the Year by the Pittsburgh Technology Council, Fortwangler brings a pragmatic, people-first approach to leading large-scale technology and culture change—expertise he now shares with CIDO participants preparing to elevate their own impact as digital leaders.
Learn from leaders like Bill Fortwangler in the Chief Information and Digital Officer (CIDO) Executive Education Program at Carnegie Mellon University’s Heinz College.