Regulatory guidance is clear – you must keep your senior management team and the board informed on developments in the third party risk management program, particularly on activities related to your critical third parties.
But what does board third party risk management reporting actually look like in the real world?
Board Vendor Management Meetings
For starters, you should carefully evaluate which meetings need to be established or which ones you should regularly attend. You need to establish a sustainable, repeatable circuit of meetings – perhaps...
- update your risk committee monthly
- update your board quarterly
- if something dramatic occurs, know which group of people to update on those details
You should make sure that all of this is captured in writing – the guidelines should be spelled out in your third party risk management program and clear in your company’s enterprise risk policy. It’s not enough to simply submit a packet of reports, you should have evidence of the discussion in the minutes of the meeting.
Vendor Management Reports for the Board
You'll want to submit particular reports to the board to make sure they are kept in the loop and involved. Examples of reports/information to share include:
- Total inventory of third parties. It's important to make sure you've got all of the ones you need to actively manage.
- Listed new vetted and approved third parties. Include newly approved parties, proposed new parties and their relative risk.
- Listed terminations of third parties. Whether it's a recommendation to terminate or recent actions, be sure to include.
- Describing any significant changes of third parties. Focus on high risk third parties or ones with significant changes.
- Number of critical vs non critical third parties and any changes. When things change, it means that there is an issue demanding your attention to see if it changes your feeling on the overall relationship.
- Risk assessment ratings of the third parties – how many high, medium or low? And changes. Report out how many are critical or not; how many are high risk.
- Number on active monitoring programs and some relevant statistics. Tailored ongoing monitoring is crucial to stay abreast of potential concerns.
- Contracts up for renewal/non-renewal in next 12 months. Be sure you have plenty of time to review before a contract renews.
- Any new enforcement actions or relevant news on your third parties. Who's in the headlines and why?
Make sure you are able to discuss all of this information. Again, besides being a regulatory requirement, one of the best ways of getting the full support of your board and senior management is to keep them regularly updated.
Download our infographic to learn more about preparing board report packages.