Answers / Risk & Compliance

How do you monitor third-party risk?

A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.

THE SHORT ANSWER

(1) Inventory: maintain a complete register of all third parties. (2) Risk-classify: based on data access, criticality, jurisdiction, service type. (3) Due diligence: proportional to risk (financial checks, sanctions screening, on-site visits for critical vendors). (4) Contractual protections: SLA, audit rights, liability, termination. (5) Ongoing monitoring: performance tracking, incident reporting, periodic reassessment. (6) Exit planning: ensure continuity if vendor relationship terminates.

WHAT INTERVIEWERS LISTEN FOR

  • Complete third-party inventory
  • Risk-based classification
  • Proportional due diligence
  • Contractual protections
  • Ongoing monitoring and reassessment

COMMON MISTAKES

  • Treating all vendors equally
  • No exit planning
  • Ignoring ongoing monitoring

Reading isn't the same as answering under pressure.

Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.

TRY QUICKFIRE →Or train full Risk & Compliance case simulations →

RELATED QUESTIONS