A truly successful third-party risk management structure involves a lot of moving parts. From organizing countless amounts of data and resources, to communicating with an array of internal and external touchpoints. Sometimes, it’s easy to get bogged down and forget the bigger picture. We won’t lie, it’s a big job. But the good news is there are a few clear ways to optimize your third-party management process.
Here are 4 ways to optimize your program:
1. Craft Strong Third-Party Risk Governance Documents
We recommend you start with a policy. A comprehensive policy is the foundation of a strong vendor management program as the third-party risk management policy is really where it all begins. So, what is a policy? It’s a high-level document which instructs senior management and the board about the activities completed in the third-party risk management program. You can’t have a healthy program without a thorough policy.
Here are 4 reasons why:
- It’s your framework. The policy is the framework of how third-party risk management will be handled at your organization and dictates the board and senior management expectations.
- It’s your first step before drafting important supporting documentation. The program and procedures documents are supporting components that build on the policy. You must have a policy in place before you can properly draft the program and procedures. It’s a three-step process.
- It outlines your third-party risk management program’s purpose. By creating a policy, you’re establishing the standards your organization will follow to adequately manage vendors.
- It’s a great resource to look at during an internal audit. Periodically, your internal audit team should review your program to ensure what you say you do meets practice. To guide them, they’ll turn to the policy.
2. Enforce the Vendor Lifecycle & Track Responsibilities
Following the third-party risk management lifecycle (from planning all the way to termination) is a best practice which helps ensure your organization keeps all of its vendor relationships operating optimally. Maintaining each phase of the lifecycle while also remaining clear on who is involved and where is key. Knowing the roles and responsibilities of all your lines of business, as well as that of the examiners, senior management, board, auditors, oversight managers, subject matter experts, vendor owners and both third and fourth parties is the secret sauce to optimizing your third-party management processes.
3 questions to ask as you review:
- What is expected of each of these roles?
- Where are these expectations documented?
- Who is responsible for enforcing timely follow-through?
This is the oil that keeps the engine running. Ensuring responsibilities are appropriately assigned and tracked will take any third-party risk management program to the next level.
3. Leverage Internal Third-Party Risk Expertise
Communication and collaboration are instrumental in implementing a consistent third-party risk management program and processes. Each area requires attention from various levels of expertise, so leverage your internal resources to assist with third-party reviews.
Additionally, maintaining ongoing communication with your internal vendor management team is a great way to find gaps or items that may have been missed before, such as any disconnect between your third-party risk management policies and procedures and the final work product.
4. Stay Updated on Vendor Management News
Third-party risk management is a constantly evolving. None of us are ever done learning, even the “professionals.” That being said, it’s crucial we all stay informed. Track it and report on it – it’s a real investment of time and resources.
Here are 5 ways you can do that:
- Attend industry events such as conferences and webinars. There is no shortage of free online courses out there. Track and take credit for the investment of time and money in ongoing education. Be sure to keep your senior management team and the board informed and well-educated, too.
- Read industry news and third-party risk management resources. Take the time to read industry infographics, eBooks, whitepapers and more.
- Set up Google News alerts. Focus on keywords, topics, your vendors and anything else that you want to learn more about or stay on top of.
- Read and understand the regulatory guidance. This is constantly changing so make sure to stay abreast of the most current guidance and follow special updates.
- Review enforcement actions and consumer complaints. These help you better understand what not to do (the CFPB complaint database is a helpful resource).
5. Remain Responsive to Audit and Examination Feedback
Exam time is always stressful are never easy. Whether it’s putting together a document request tor handling a management response, audits and examinations require a lot of effort... not to mention that sitting through the exit meeting can be a bit uncomfortable for all parties involved. However, despite the added work and unease, it’s crucial that your organization responds to audit and exam feedback promptly.
Consider the following best practices:
- Curate your management response. Make sure to record every issue and craft a “management response” to each of the issues the examiners found. A management response indicates the steps you plan to take to resolve the issue.
- Revise your governance documentation where necessary. Really take a moment to pause after an exam. Review the exam’s findings thoroughly. You’ll likely find a combination of your program's governance documentation will need to be revised and some controls will need to be tweaked.
- Review and address open items. Exam findings will usually identify areas of weaknesses in your program. You'll want to take time to address each of these items before your next exam. Work with your team to assign an owner to each of these tasks and make sure to create a project plan with SMART goals — that is goals which are: Specific, Measurable, Attainable, Relevant and Time-Based.
Hopefully these tips can help bring your third-party risk management program up a notch and help streamline your processes.
Dive deeper into the different components involved in mastering third-party risk. Download the eBook.