How do you monitor third-party risk?
A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
(1) Inventory: maintain a complete register of all third parties. (2) Risk-classify: based on data access, criticality, jurisdiction, service type. (3) Due diligence: proportional to risk (financial checks, sanctions screening, on-site visits for critical vendors). (4) Contractual protections: SLA, audit rights, liability, termination. (5) Ongoing monitoring: performance tracking, incident reporting, periodic reassessment. (6) Exit planning: ensure continuity if vendor relationship terminates.
WHAT INTERVIEWERS LISTEN FOR
- ✓Complete third-party inventory
- ✓Risk-based classification
- ✓Proportional due diligence
- ✓Contractual protections
- ✓Ongoing monitoring and reassessment
COMMON MISTAKES
- ✗Treating all vendors equally
- ✗No exit planning
- ✗Ignoring ongoing monitoring
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- How do you build a compliance culture?
- How do you handle a regulatory exam?
- How do you assess the effectiveness of a compliance program?
- How do you respond to a BaFin finding?
- How do you handle conflicting regulatory requirements across jurisdictions?
- How do you handle a data subject access request (DSAR)?