Third-Party Risk Management Reporting: What You Need to Know

When you consider the number of risks to identify, assess and manage throughout the third-party risk lifecycle, it's easy to understand why reporting is an essential part of any third-party risk management (TPRM) program. Knowing what, when and whom to report to can be challenging with so many vendors, stakeholders and data points.

TPRM Program Reporting Metrics to Consider

For many industries, reporting is a regulatory requirement because the board and senior leadership are ultimately accountable for the organization's TPRM program. Even in a non-regulated organization, senior leadership will still need the information to determine the relative health and stability of the program and understand the amount and severity of risk in the vendor portfolio. Reporting data can also be used to confirm an organization’s compliance and make decisions regarding the TPRM program.

The below is not an all-inclusive list, but these are some reporting metrics to include:

• Vendor inventory: This should reflect the number of vendors by risk level or rating, clearly identifying critical vendors. Has the vendor population changed dramatically, grown or contracted? How many critical vendors do you have vs. the same period last year? Do you have a good full-time employee to vendor ratio?
• Risk assessments: This includes data collected from due diligence and periodic risk assessments. This metric should show how many vendors require these assessments and the number that are complete, on schedule or past due during a specific period. Document how many vendors weren’t approved during due diligence.
• Program compliance: Are your business lines following the required processes and procedures for TPRM? Are there late or missing deliverables? How many exceptions have there been and why? Are the vendor risk assessments and performance monitoring taking place on time and meeting the requirements?
• Vendor issues: Of your highest risk vendors, how many have open issues requiring remediation? Are any of those remediation activities delinquent? Have any of your high-risk or critical vendors had a breach or other major event? What about negative news? Material issues should be reported and monitored.
• New or emerging risks: Are there new risks that were not identified during the risk assessment stage? Are there emerging risks within an industry, your organization or the vendor? Are there any trends in vendor performance that merit action?
• Regulatory considerations: Have there been proposed regulatory updates or changes to current guidance? How will those changes affect your program, process and governance documents?

Reporting to Stakeholders

When you have identified the right reporting metrics for your program, you’ll need to consider what metrics to share in your reporting based on the stakeholder's level of interest, influence and impact.

Let's look at three common stakeholder groups and what they expect regarding reporting:

• Risk committees: Most organizations will have some type of risk committee, which has the collective role of identifying and mitigating risks before they become material issues. As such, TPRM reporting should provide a regular view of program compliance and focus on new and emerging risks, vendor issues and items requiring action. Once an issue is identified, a treatment plan should be established. It’s a best practice to always present issues needing action to the committee first. That way, the right people to solve the problem are engaged before the issue shows up on a senior leadership or board report.
• Senior leadership: Your organization's senior leadership (including executive leadership) is ultimately accountable for the health, stability and effectiveness of the TPRM program and will need to make decisions accordingly. Reporting to senior leadership should highlight items that need their approval or influence and should include a standard set of metrics (including targets and trends) to validate the program's health. These metrics include vendor portfolio size by risk rating, program compliance, significant vendor issues and new or emerging risks. Open issues appearing on this report should have an associated action plan.
• Board of directors: The board of directors is accountable for TPRM program oversight. Data provided to the board should enable them to assess if the program is effective and working as intended. Reporting to this group of stakeholders should include a high-level view of the program size, risk exposure, compliance and material risk issues.

Reporting Frequencies

Consistent and simple reporting is a best practice that will earn you the support and trust of the organization's business leaders. Ensure you include a concise executive summary with your regular reporting to highlight key data points found in the report and provide conclusions or recommendations for the rest of the data.

Here's a guideline of other regular reporting:

• Monthly: It's a good idea to report on any new or emerging risks monthly. You may also want to review challenges with your TPRM program, but keep in mind that you should be prepared to provide solutions to those problems.
• Quarterly: A quarterly report can provide insight on vendor performance levels and the status of your annual risk reviews. This may also be an appropriate time to review critical third parties and determine any next steps for terminating or exiting those contracts, if needed.
• Annually: The information provided in a yearly report should be more comprehensive to highlight the challenges and successes of your TPRM program. Use this information to evaluate trends in your vendor profile, such as the overall volume and different risk levels. It's also recommended to provide a roadmap of program goals to implement for the upcoming year.

Keep in mind that the reportable data from your TPRM program is most valuable when it drives action. Reporting for the sake of reporting without any context or solutions serves little purpose. Ensure that your organization's business leaders are equipped to make informed decisions and necessary improvements to your TPRM program.