4 Important Vendor Risk Management FAQs for Beginners

Podcast Transcript

Welcome to this week’s Third Party Thursday! My name is Kay Perry and I’m the Senior Relationship Manager here at Venminder.

Today we’re going to discuss four important vendor risk management frequently asked questions for beginners: what vendor risk management  is, why it’s important, who is involved and how vendor risk management is completed. Let’s get started.

First, what is vendor risk management? Vendor risk management is defined as the process of fully identifying all of the significant companies that aid in the delivery of a product or service to your organization or to your customers on behalf of the organization. It involves controlling costs, driving service excellence and mitigating risk to gain increased value throughout the deal lifecycle. It’s also commonly referred to as vendor management or third party risk management. 

Next, why is vendor risk management important? There are a few reasons:

1. Proper vendor risk management is essential to protecting an organization, its customers and all proprietary information
2. Performing vendor risk management is a sound business practice
3. It helps mitigate risk
4. It’s a regulatory expectation. We consider this probably to be the most important reason of all. Examiners will expect to see guidance and recommendations implemented within an organization’s vendor management program.

Who all is involved? The answer can get kind of convoluted. Setting the tone from the top you have examiners, the board and senior management. They are overseeing the program and are definitely involved. When a change occurs regarding a high risk or critical vendor the board should be involved. Regarding examiners, they can be internal and external, as vendor risk becomes a key component of exams for both internal and external audits. Senior management may be involved directly or indirectly but they should have some insight, even if it’s just by being the ones to report results to the organization’s risk committee. 

Next you have your different departments and areas of expertise. Often times this includes internal audit, the lines of business (first, second and third), vendor oversight managers and subject matter experts. Externally, there are the vendor owners, your outsourced provider and even the outsourced provider’s vendor, aka your fourth party. 

Finally, it all filters down to your most valuable asset. Your customer.

Finally, how is vendor risk management completed? Honestly, this could be a very long response as there is a lot involved in completing vendor risk management. We encourage you to take a look at OCC Bulletin 2013-29. It outlines the vendor management lifecycle in greater detail and is a great guide for how the process should flow. The lifecycle is the following:

• First, you have the planning phase. This is where you’ll build out your vendor policy and program documentation.
• Second, you move to due diligence and third party selection. This is pre-contract.
• Third, there is contract negotiation. This is the time to set expectations and responsibilities.
• Fourth is ongoing monitoring. You must always continue to complete vendor due diligence and risk assessments periodically even after the contract is executed.
• And finally, the last phase of the lifecycle is termination. It’s important to understand how data assets will be returned, exit strategies and more if you or the vendor decides to terminate the contract.

Understanding the lifecycle will give you a strong base regarding how to complete vendor risk management.

I hope you’ve found this podcast to be helpful. Again, I’m Kay Perry and thanks for tuning in to this week’s Third Party Thursday; if you haven’t already done so, please subscribe to our series.