Welcome to this week’s Third Party Thursday! My name is Kay Perry and I’m the Senior Relationship Manager here at Venminder.
Today we’re going to discuss four important vendor risk management frequently asked questions for beginners: what vendor risk management is, why it’s important, who is involved and how vendor risk management is completed. Let’s get started.
First, what is vendor risk management? Vendor risk management is defined as the process of fully identifying all of the significant companies that aid in the delivery of a product or service to your organization or to your customers on behalf of the organization. It involves controlling costs, driving service excellence and mitigating risk to gain increased value throughout the deal lifecycle. It’s also commonly referred to as vendor management or third party risk management.
Next, why is vendor risk management important? There are a few reasons:
Who all is involved? The answer can get kind of convoluted. Setting the tone from the top you have examiners, the board and senior management. They are overseeing the program and are definitely involved. When a change occurs regarding a high risk or critical vendor the board should be involved. Regarding examiners, they can be internal and external, as vendor risk becomes a key component of exams for both internal and external audits. Senior management may be involved directly or indirectly but they should have some insight, even if it’s just by being the ones to report results to the organization’s risk committee.
Next you have your different departments and areas of expertise. Often times this includes internal audit, the lines of business (first, second and third), vendor oversight managers and subject matter experts. Externally, there are the vendor owners, your outsourced provider and even the outsourced provider’s vendor, aka your fourth party.
Finally, it all filters down to your most valuable asset. Your customer.
Finally, how is vendor risk management completed? Honestly, this could be a very long response as there is a lot involved in completing vendor risk management. We encourage you to take a look at OCC Bulletin 2013-29. It outlines the vendor management lifecycle in greater detail and is a great guide for how the process should flow. The lifecycle is the following:
Understanding the lifecycle will give you a strong base regarding how to complete vendor risk management.
I hope you’ve found this podcast to be helpful. Again, I’m Kay Perry and thanks for tuning in to this week’s Third Party Thursday; if you haven’t already done so, please subscribe to our series.