I'm often asked what sort of things a third party risk or compliance manager might be asked to have ready for an examination that's going to touch on third party risk management. Well, there's good news and there's bad news.
The good news is unless it's a targeted exam, it's probably not going to be specifically all about third party risk management which takes some weight off of you. The bad news is, on the flip side, since there's no template for specific documents, there's no easy way to know exactly what to expect or what to have available.
8 Items to Have Ready For An Examiner's Arrival
I recommend you start with the examiner's request list and look for any items, specifically or otherwise, that could involve third party risk management. Next, make sure you have those items ready to go. After you’ve thoroughly reviewed the request list, there are a few things I'd suggest you do routinely and have available in addition:
- The most current policy and program. Be absolutely certain your third party risk management policy and program documents are up to date, and hopefully board approved. This should be within a reasonable time period such as less than a year.
- Your reports and meeting minutes. Ensure you have handy copies of reporting supplied to senior management and the board and, if practical, minutes reflecting the discussion of such activity (pro tip: be sure that it's fine to hand over the minutes, or have them redacted to only show the portion you need to show, so as not to overshare superfluous information that could invite other inquiries).
- A vendor list that is accurate, up-to-date and separated by level of risk. It’s a good time to go back and make sure the scope statement in your program document matches whom you have on your vendor list.
- Assemble samples of work product, particularly on your highest risk vendors, including proof of ongoing monitoring. This pillar of third party risk is often overlooked and should not be!
- Be ready to share educational information. Consider any particular education you may want to share with the examiners on how you manage third party risk.
- Assemble an organization chart and biographies of key members of the management team. Make this specific to third party risk management.
- Organization-wide education statistics. Record the hours and number of people educated on responsibilities for third party risk issues and be ready to present this to the examiner.
- Make sure to review your regulatory guidance – not just your prudential regulator's but also the FFIEC IT Examination Handbook – it's the play by play of what the examiner may reasonably ask or expect to see.
One Final Tip
Finally, while I know we're all eager to impress examiners or hope to get things over with quickly, don't share items until asked. Once requested, supply the document quickly but take the time to review each item thoroughly, even getting a second set of eyes to look at it can help.
Also be sure to meet with the examiner to clarify any questions or even educate them, if needed, on ways in which your practices may have changed or may be different from what they are accustomed to reviewing. It’s always better to clarify items ahead of time rather than scrambling when the draft report is issued. In other words, don't just dump all of the documentation to the examiner.
Exams can be stressful, but if you're professional, well-organized and deliberate in your preparation, you've actually accomplished quite a lot before the exam even happens. For more tips on preparing for a third party risk management examination, download our eBook.