(270) 506-5140 CONTACT US
Best Practices

The Dos and Don’ts of Vendor Risk Management

Feb 27, 2019 by Branan Cooper

Most of us have them – little bad habits here and there that we’ve become accustomed to and have integrated into our routine. When it comes to vendor risk management, a bad habit isn’t something to take lightly. It can be a costly mistake.

Be preemptive and address any “Don’ts” of vendor risk management that you’re doing and replace them with the recommended “Dos”. 

Here are five common scenarios:

1. Outsourcing

DO: Understand that even though your organization outsourced to a third party for insight and assistance you still can’t outsource the responsibility. You should continue to follow up on the progress and be aware of what is going on.

DON’T: Our organization has outsourced an activity, so we don’t have to worry about it now. It’s no longer our responsibility.

2. Ongoing Monitoring

DO: Remember, due diligence during the vendor selection phase is just one critical phase of the vendor lifecycle. You should also perform extensive due diligence on the vendor as part of your annual or “as needed” ongoing monitoring. Continued oversight and mitigating new risk are a regulatory requirement.

DON’T: We performed sufficient due diligence during the vendor vetting phase and have determined the vendor to be satisfactory. Now that we’ve signed the contract, we’re good to go and can sit back and relax.

3. Board Updates

DO: Always, always, always keep the board informed, especially keep them in the know about any concerns that are discovered regarding a high risk or critical vendor.

DON’T: Our board received an update at our quarterly meeting a month and a half ago, so I don’t need to update them about our critical vendor’s weak financials that I just discovered.

4. Requesting Documents

DO: Get creative. If you’re not having any luck requesting the document by email or phone, then consider an on-site visit. Also, be sure to document every single attempt to reach out. Your examiners and board will want to see the efforts.

DON’T: I can’t get in contact with the vendor to obtain the SOC report. Oh well, I’ve tried.

5. First Line of Defense Communication

DO: Consider what the first line has to say. They are the eyes and ears daily. They can give you some of the best insight regarding the vendor’s responsiveness, performance and product/service quality.

DON’T: The first line communicates with the vendor, but management should be the only ones to determine if the organization considers the vendor relationship to be a good fit or not.

As you can imagine, with many daily discussions with industry clients, I could list dozens of bad habit scenarios that I’ve seen. Revisiting your processes is a good way to validate that they are falling under the dos of vendor risk management instead of the don’ts. By breaking a bad habit as quickly as possible, you’re setting your organization up for vendor risk management success.

Don't continue to believe these 14 common myths for third party risk. Download the infographic now.

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog