The most successful vendor management programs include continuous third party monitoring. By this, I mean that the vendor management team doesn’t cease all third party monitoring after vendor selection and onboarding is finished. Continuous third party monitoring is always top of mind and a constant process that is being improved upon.
4 Third Party Monitoring Steps
Here are four steps of third party monitoring you should implement into your program today for a strong third party monitoring foundation:
- Implement a comprehensive tracking system. Determine the best way for your organization to track significant third party dates. Some “milestones”, if you will, that you’ll want to track include:
- Contract expirations dates
- Contract notice of non-renewal dates
- Vendor risk assessment expirations
- All other due diligence expirations (e.g., SOC, BCP, cybersecurity assessment, insurance certificates, PCI certification, etc.)
Some organizations use spreadsheets to accomplish this. While spreadsheets may be a suitable option at first, as your organization grows and matures, it will prove difficult to track all of the information in a document that is tedious to update and doesn’t have a change history report to help track who made a change and when. As a best practice, it’s recommended you have some type of software platform to track these dates. It ensures consistency and also betters your odds of not missing a key date. There’s much less room for error.
- Periodically analyze due diligence. One of the most important steps in third party monitoring is to periodically request the most current vendor due diligence and perform a full review. For example, every year the vendor will release a new financial statement or a similar financial document. Therefore, in this case, you must request the new financials and perform a full financial review just like you did when you initially vetted the vendor to see if they would be a good fit for the organization.
Why do you need to gather and analyze documentation again if you’ve already done your due diligence in the past? Well, simply put, risk fluctuates. While the third party may have shown you very positive financial probability at first, they could suddenly have poor financials which may indicate an underlying problem and put your organization at exponential risk.
- Implement strong reporting. You want to report to senior management and the board any issues with your critical and/or high-risk vendors as well as any significant changes and updates. Some items you’ll want to report on include service level/performance, risk rating changes, financials, regulation changes, etc.
- Change Management. Require your vendor to notify you when things change – maybe it’s management, strategic direction or discontinuation of a key product your rely upon. It could also be a material change in their financial condition. Whatever it is, you need to know.
Third party monitoring isn’t all that challenging when you really think about it. It becomes challenging when an organization lacks an organized program. As long as you stay organized, make periodic updates to due diligence and continuously stay on top of monitoring vendors, you will reap the benefits of a successful third party risk management program without the stress of having to play catch up or the worry of missing out on important changes in the risk profile of your third parties. Remember, if there are areas of concern, please be sure to document them and report them to your senior management team and board.
Make sure you are including all the right steps in your third party risk procedure. Download the checklist.