How to Migrate Into a Third-Party Risk Management System

World class third-party risk management programs are 99 times out of 100 built on world class third-party risk management systems. With that in mind, it’s important to choose wisely! Pick a tool that meets your organization's requirements and then make sure to actually use it. Let's go through getting migrated onto it.  

What to Know About Migrating into a Third-Party Risk Management System

Initial Third-Party Risk Management Pitfalls

All third-party risk management programs start at the same place and travel through the same milestones to get to a third-party risk management system. At first, the individual lines of business hold the responsibility and accountability for every aspect of vendor management. They make the vendor selections, handle the vendor onboarding, work with the vendors every day and then rinse and repeat. And usually, items like due diligence, ongoing monitoring, risk assessments and reporting are only top-of-mind when an auditor or examiner requests them.

Third-party risk management programs are a team effort, and typically that means there are a lot of cooks in the kitchen. In the early stages, this often means moving through spreadsheets and some type of shared file system. However, the truth is that spreadsheets are more trouble than they’re worth. When the person who created the spreadsheet leaves the organization or gets promoted, no one knows how to use it properly to meet the organization’s needs! Don’t even get me started on shared file systems. Someone is always moving, deleting or editing the documentation you need to manage your third-party risk program.

Third-Party Risk Tricks and Tips to Help You Migrate into a System

There’s common issues that happens when developing a solid, third-party risk management system. You signed a contract for a third-party risk management system, and you have a very small team to operate and maintain it. Now what? This is where many are unsure.

The following will help you along the path to nirvana (no, not the group!):

SQUARE ONE: Learn everything you can about your chosen third-party risk management system. Pay attention to how the system handles each of the third-party risk management lifecycle stages (scoping, inherent risk and criticality assessment, due diligence residual risk determination, vendor selection and contract management, ongoing monitoring and termination).

SQUARE TWO: Define your reporting. What are you going to report to your board, the committee of the board you are assigned, your senior management team and your lines of business? The reporting you need will inform several of the decisions you’ll be making while setting up your third-party risk management system.      

SQUARE THREE: Establish tiers for your vendors. Group them into tiers that you assume they’ll be in before a formal risk assessment. Then when you complete the risk assessment, you’ll determine their true risk level. This is because you can’t treat every vendor the same upfront. There are never enough time or people for that. Create a three or four-tier system to categorize your vendors initially. I recommend critical, high-risk and everyone else.    

SQUARE FOUR: Start by inputting your critical and high-risk vendors. Once you’ve inputted those vendors, then add everyone else to the system as you have time. Don’t have the bandwidth? Make time or ask others to help… don’t let this one slide.    

SQUARE FIVE: Set up alerts! Automated alerting is your friend and it’ll save you. By defining the reporting in Square Two, you’re going to have a solid idea of who wants to know what and when. This knowledge helps set up alerts, so the right people get the right messages at the appropriate time.

SQUARE SIX: Determine the vendors you have paid over the last 12 to 24 months. You may need accounts payable's help with this.

SQUARE SEVEN: From the list in square six, identify each payee that isn’t a true “vendor” and remove them. To do this, dump the contents into a spreadsheet (yes, I understand the irony). You’ll find every expense account reimbursement and contribution to charities in the accounts payable system. Once you’ve removed the vendors who don’t need to be included, check the list you’re left with against what you have in your third-party risk management system to make sure you have identified every vendor that is a vendor to your organization.

SQUARE EIGHT: Review as a team and establish workflows. This is really a solid gold. Make sure to get your third-party risk management team together and run through the seven stages of the third-party risk management lifecycle, starting with planning, and begin the process of fleshing out the workflows you’ll expect. Treat your team’s workflow definitions as a straw man. Then, socialize your work product with the lines of business and your senior management team. The adjustments to your workflows will astonish you!

To Centralize or Not to Centralize?

What’s in an organization chart matters. Before you get wrapped around the axle of corporate culture and fail to note the light at the end of the tunnel really is the train, recall where we started… with the lines of business having complete control. At this point, you’ve begun to move the control from the lines of business to a centralized team. It’s normal for those who had the responsibility to get a little skittish with a new captain at the wheel. You may need to help your stakeholders understand the benefits of a centralized third-party risk management program.

Centralized programs are far easier to manage and operate than a decentralized program and offer the following advantages over other organizational models:

1. Increased Net Income – The difference in having a centralized third-party risk management program and having a decentralized program can be as much as a 2.5% increase in net income.
2. Consistency – We’re always looking for predictability. Decentralized models are less predictable. Centralized models give your organization the opportunity to manage your portfolio of vendors in a consistent manner.
3. Ease of Management – Centralized third-party risk management programs create visibility into vendors and internal departmental needs that you didn’t have access to before hence creating an ease of management.

At this point, you’re going to want to think seriously about creating an employee awareness campaign to ensure every member of your organization understands how the enterprise is going to handle third-party risk management moving forward and what’s expected of them when it comes to third-party risk management.

All of this will help you create a world class third-party risk management program. What about the system? Remember, strong third-party risk programs are built on strong risk management systems. Choose wisely!

Master the components that make up a successful vendor management program. Download the eBook.