The third-party risk oversight process doesn't end when the contract is signed. Your vendors’ performance must be monitored on an ongoing basis throughout the life of the relationship. But, how should you maintain ongoing monitoring and what are the best practices to follow?
In this blog, we'll explore why ongoing monitoring is necessary to monitor your vendor's performance and to identify new or emerging risks. We’ll also identify 12 best practices and resources for ongoing monitoring.
Why Is Ongoing Monitoring So Important?
Initial risk assessments and due diligence are completed during the onboarding stage and should be repeated on an annual basis. Still, it’s important to remember that a vendor's performance or risk profile can change rapidly, so it is necessary to monitor and manage your vendors continuously. Ongoing monitoring between annual assessments will provide vital data points to ensure that your vendor meets your expectations and has an acceptable risk profile.
Ongoing monitoring is a best practice because it helps identify risk and minimize surprises throughout the vendor risk management lifecycle. But it’s also a regulatory requirement for many organizations.
Reasons Ongoing Monitoring Benefits Your Organization
Here are two reasons ongoing monitoring benefits you:
- Ongoing monitoring is a strategic discipline that provides a clear picture of where you should focus your efforts.
Ongoing monitoring requires discipline, and while we outline several best practices, they’re all designed to provide a deeper look into the vendor to ensure you can identify and mitigate risk as much as possible. The information collected during this stage can highlight exactly where you need to pay attention. For example, suppose you're reviewing a vendor's most recent financial statement and notice a decline in financial condition. As a result, you would need to investigate the situation in order to determine if it will affect the products/services they provide to your organization (e.g., confirm they aren't planning to sunset a product or service).
- Ongoing monitoring ensures your vendor's performance is acceptable and that the intended value of the relationship is being delivered.
Organizations engage third-party vendors to help realize an opportunity or to solve a problem. If a vendor has poor performance or is too risky, the value of that relationship declines. When the value of the relationship is not as expected, your organization can lose money, waste resources, and suffer reputational damage, regulatory actions, or fines. Ongoing monitoring is necessary to confirm the value and output of vendor relationships and to protect the organization and its customers from unnecessary risks.
12 Ongoing Monitoring Best Practices
Here are 12 best practices to keep in mind for your third-party continuous monitoring efforts:
- Ensure data breach notification protocols are applied in their procedures and are included in your contracts.
- Monitor consumer complaints submitted internally or from online sources such as the CFPB complaint database.
- Create Google Alerts. Each alert can be specific to your vendor and include keywords that would cause concern if triggered.
- Incorporate commercially available vendor risk intelligence tools and services into your monitoring process. Risk Monitoring and alert services can provide unique insight into different vendor risk domains and supplement your organization's oversight efforts.
- Set reminders to monitor a vendor's quarterly financial filings if it's a publicly traded company. If it's a private company, request that your vendor sends you their financial report.
- Your organization should insist that the vendor notify you as soon as there is a change in leadership, pending litigation, or any other issue that might affect the relationship.
- Implement regular vendor performance reviews to address quarterly performance and address any service level concerns.
- Provide a framework for feedback from the first line of defense. Meet regularly, track concerns, and address any legitimate issues raised.
- Leverage social media outlets. Follow the vendor on LinkedIn, Twitter, and Facebook. Have updates sent to a separate email account, so your regular email doesn't get bogged down with information.
- Subscribe to industry articles that may highlight the vendor type.
- Check regularly for any litigation or enforcement actions.
- Establish regular risk reassessment and due diligence intervals to refresh risk data and ensure detailed subject matter analysis and reporting.
As part of your organization's third-party continuous monitoring process, you should record any vendor risk or performance findings as well as the required remediation. Be sure to track open issues through to completion and make sure to look for vendor risk or performance trends that may indicate new or emerging risks. If there are serious issues or red flags, inform your senior management and board of directors, especially if those issues concern a critical vendor.
Ongoing monitoring is essential for identifying, assessing, and managing your vendor risk and staying ahead of serious problems.