6 Tips to Optimize Vendor Risk Management

I’m willing to bet anyone who’s been in risk management longer than five seconds knows one thing to be true: it’s not for wimps. Third-party risk management is a complex industry, with many areas which need ongoing oversight and support. It can take years to get a solid program off the ground. But the good news is, there’s always room for improvement… no matter where your organization lies on the maturity spectrum.

6 Techniques For Upgrading Your Risk Management Program

Here are a few tips to help optimize your vendor risk program: big or small, young or old.

1. Follow the vendor risk management lifecycle.

Ensure you follow the vendor risk management lifecycle (from scoping all the way to termination). This is a best practice which helps keep your organization on track and managing its vendor relationships optimally. Remember, the frequency of your ongoing vendor due diligence will be at least annually for your critical and high-risk vendors – unless there is an issue with the vendor, which could of course increase the frequency.

2. Let documentation be your foundation.

Crafting strong third-party risk governance documents is the foundation of any truly effective third-party risk management program. The strength of your vendor management program relies on a robust, well-developed policy.  

• Step 1: Start by developing your policy, which is a high-level document guiding the enterprise and empowering senior management at the behest of the board.
• Step 2: Add a solid set of processes and procedures in your program document and you’ll be good-to-go!
• Step 3: Include your internal vendor oversight requirements in your program document.
  

3. Identify vendor risk management roles and responsibilities.

Remaining clear on the roles and responsibilities within vendor risk management, as your organization defines them, is another key to your success. Be sure to include the following in your governance documents, more specifically the program, regarding roles and responsibilities:

• The board as they set the tone-from-the-top and senior management will operationalize and facilitate the program for the enterprise
• The roles and responsibilities of everyone involved in third-party risk management, including your lines of business
• Examiners, auditors, compliance, enterprise risk management and line managers
• Subject matter experts and vendor owners

• Capture what is expected in each role
• Ask yourself how expectations will be communicated to your stakeholders
• Define your third-party risk management reporting upfront
• Consider how you’ll handle exceptions if/when someone doesn’t comply with your program’s policy and procedures

4. Lean on the experts.

Third-party risk management was never intended to be a one-person show. It takes the knowledge and collaboration of multiple teams and subject matter experts to make it work. Don’t try to shoulder it alone. Be sure to do the following:

• Develop a culture of ongoing communication with your internal vendor management team 
• Leverage outside help to pinpoint gaps in your third-party risk management program and with any third-party vendor’s service delivery, as needed

Pro-tip: Look into a software as a service (SaaS) platform with experts on staff that can help you automate your process and keep track of all your documentation. This is a great resource during any exam, external audit or internal audit.

5. Don’t put audit feedback on the backburner.

You have two choices when it comes to exams and audits; you can view them as one step above a root canal or as an opportunity to improve your program and your organization. Nobody likes exams and audits; they are often stressful and awkward. Worse, they typically require more work on the backend. It’s important to try to look at exams and audits as opportunities to use your examiners and auditors to help you strengthen your program.

Auditors provide guidance to help organizations stay in line with current regulatory requirements, so it’s important to be prompt when it comes to responding to findings.

Here are four ways to get started:

• Create a management response. Every finding should have a management response, even if it is something as simple as, “Agreed.” List every finding and include your management responses for each and indicate how you plan to resolve the issues. 
• Create a tracker. A tracker is a list of every finding from an audit or exam and the response to each finding. No finding is too small to track. 

• Make changes to your governance documents annually. Pause and reflect on your third-party risk management program at least annually. Use the findings from your latest exam or audit to help guide any changes you may need to make to your governance documents. Typically, you’ll find a combination of areas which need to be addressed or tweaked, and a few controls which need to be put in place. The best advice anyone can give you here is to plan the work and work the plan!
• Use your third line of defense. Engage your internal audit team well before any exam or audit. They really are there to help you improve your program. Your internal audit team will have a copy of any audit and exam findings. Make sure to work with internal audit between exams to ensure all findings are resolved in an acceptable manner. In other words, make internal audit part of your third-party risk management team.

6. Put vendor documents under a microscope.

Every from contracts to business continuity and disaster recovery plans, as well as cyber reports and policies, and financial reports — anything and everything from your vendors must be analyzed in detail. These are not just meant to be stuffed in the proverbial filing cabinet or blindly signed off.

Here’s a few ways to help streamline vendor documents:

• Utilize vendor management platform
• Connect with your business continuity team
• Ditch the excel spreadsheets. Track due diligence and contract expiration dates via your chosen vendor management platform
• Centralize all your documents

Tip to Know: Findings that refer to a lack of control in a specific area may not be something that has to be addressed. For example, a control you’re unaware of may already be in place, and by utilizing your internal audit team, you can make sure that you’re on the right track when addressing control findings. Internal audit will know where all the control points are and can tell you if you’re about to duplicate or negate any existing controls. 

Optimizing third-party risk management is an ongoing project. The truth is, it never really ends. It’s important to remain vigilant, stay on top of industry regulations and leverage all the resources and technology at your disposal. Making simple changes in your third-party risk management program can have huge effects on its efficiency and strength in both the short and long-term.

Learn how other organizations are managing their third-party risk processes in this whitepaper. Download your copy here.