casemark/managing-third-party-risk
skills/finance/managing-third-party-risk/SKILL.md
Structures vendor and third-party risk assessment with due diligence, monitoring, and concentration analysis. Use when assessing vendor risk, conducting third-party due diligence, or monitoring outsourcing risk.
$ install --global
skillsauthnpx skillsauth add casemark/skills managing-third-party-riskInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 24, 2026, 3:45 AM194.3s1 file scanned
SKILL.md
- name:
- managing-third-party-risk
- language:
- en
- description:
- Structures vendor and third-party risk assessment with due diligence, monitoring, and concentration analysis. Use when assessing vendor risk, conducting third-party due diligence, or monitoring outsourcing risk.
- author:
- casemark
Managing Third Party Risk
Structures vendor and third-party risk assessment with due diligence, monitoring, and concentration analysis.
When To Use
- Onboarding a new vendor, outsourcing partner, or critical service provider
- Performing periodic re-assessment of existing third-party relationships
- Evaluating concentration risk across vendor portfolios (e.g., single cloud provider, dominant counterparty)
- Responding to a third-party incident, control failure, or regulatory finding
- Preparing for regulatory examinations that cover outsourcing and vendor management (OCC, FFIEC, EBA guidelines) [VERIFY jurisdiction-specific rules]
Inputs To Gather
- Vendor inventory: Complete list of third parties including name, service category, contract value, contract term, and business owner
- Criticality classification: Whether the vendor supports a critical business function, handles sensitive data, or has customer-facing exposure
- Due diligence package: SOC 2 / ISO 27001 reports, financial statements, business continuity plans, insurance certificates, and any prior audit findings
- Regulatory requirements: Applicable guidance (e.g., OCC Bulletin 2013-29, DORA, APRA CPS 230) [VERIFY which frameworks apply]
- Existing risk ratings: Prior tiering, residual risk scores, and open remediation items
- Concentration data: Revenue share per vendor, geographic overlap, technology dependency mapping, fourth-party (subcontractor) disclosures
Workflow
-
Tier the vendor population
- Assign each third party to a risk tier (Critical / High / Medium / Low) based on data sensitivity, operational dependency, regulatory exposure, and substitutability
- Critical-tier vendors trigger full due diligence; low-tier vendors require abbreviated assessment
-
Conduct due diligence
- Collect and review SOC reports, financials, BCP/DR plans, and cybersecurity questionnaires
- Flag gaps: missing reports, qualified audit opinions, declining financial ratios, unresolved findings
- For critical vendors, assess fourth-party risk — identify key subcontractors and their controls
-
Score inherent and residual risk
- Rate each vendor across dimensions: operational, financial, cyber/information security, regulatory/compliance, reputational, and geopolitical
- Apply mitigating controls (contractual protections, SLA penalties, escrow, audit rights) to arrive at residual risk
- Document risk acceptance rationale when residual risk exceeds appetite
-
Analyze concentration risk
- Map vendor dependencies to business lines and geographies
- Identify single points of failure: one vendor serving multiple critical functions, heavy reliance on one jurisdiction, shared technology stack
- Calculate concentration metrics (e.g., top-5 vendor spend as % of total outsourced spend)
-
Build monitoring and escalation framework
- Define KRIs per tier: SLA breach rate, financial health triggers, incident frequency, audit finding closure rate
- Set review cadence: quarterly for critical, annually for high, biennial or event-driven for medium/low
- Establish escalation paths: who is notified when a KRI breaches threshold, what triggers contract re-negotiation or exit planning
-
Document and report
- Produce a third-party risk register with current tier, residual score, open issues, and next review date
- Prepare board/committee-level summary: aggregate risk heatmap, concentration dashboard, material exceptions
Output
- Third-party risk register: Vendor name, tier, inherent/residual risk scores, key findings, remediation status, next review date
- Concentration analysis: Dashboard showing spend concentration, geographic concentration, and fourth-party overlap
- Due diligence summary per vendor: Controls assessment, gap list, and recommended mitigants
- Executive risk report: Heatmap of vendor risk by category, trend vs. prior period, material exceptions requiring escalation
- Monitoring plan: KRI definitions, thresholds, review cadence, and escalation matrix
Quality Checks
- Every critical-tier vendor has a completed due diligence file dated within the applicable review cycle [VERIFY required frequency per regulation]
- Concentration thresholds are defined and tested — no single vendor exceeds the board-approved limit without documented risk acceptance
- Risk scores use a consistent methodology across all vendors; scoring criteria are documented and repeatable
- Fourth-party dependencies are identified for all critical vendors; gaps are flagged rather than omitted
- Regulatory mapping is current — confirm the applicable supervisory guidance matches the entity's charter, jurisdiction, and license type [VERIFY]
- All open remediation items have assigned owners, target dates, and status tracking
- Mark any data point sourced from vendor self-attestation (vs. independent audit) with [VERIFY]
Related Skills
casemark/skills/legal/automated-contract-summary
development
VerifiedTrustedCommunity
name: automated-contract-summary language: en description: Generates structured executive summaries of contracts using ML — captures key terms, party obligations, risk allocations, and compliance requirements in a standardized format. Optimized for high-volume review where speed and consistency matter. tags: - summarization - agreement - corporate --- # Automated Contract Summarization Produces standardized executive summaries of contracts using machine learning, capturing essential term
21SKILL.mdUpdated May 26, 2026
casemark/obligation-mapping
tools
VerifiedTrustedCommunity
Extracts regulatory obligations from dense regulations across jurisdictions. Breaks down multi-level regulations into clear article-level obligations, classifies applicability to a business, and prioritizes by risk level. Use when translating regulations into actionable compliance requirements.
21SKILL.mdUpdated May 25, 2026
casemark/horizon-scanning
development
VerifiedTrustedCommunity
Continuously monitors regulatory landscapes for changes relevant to a specific business. Ingests global regulatory updates, filters by relevance, summarizes impact, and produces an actionable change advisory. Use when tracking regulatory developments affecting a particular product or market.
21SKILL.mdUpdated May 25, 2026
casemark/gap-analysis
testing
VerifiedTrustedCommunity
Compares an organization's existing compliance controls, policies, and procedures against extracted regulatory obligations to identify coverage gaps. Produces a remediation plan with prioritized actions. Use when assessing compliance maturity or preparing for regulatory audits.
21SKILL.mdUpdated May 25, 2026