(270) 506-5140 CONTACT US
Best Practices

Board Third Party Risk Management Reporting Essentials

Jan 17, 2018 by Branan Cooper

Regulatory guidance is clear – you must keep your senior management team and the board informed on developments in the third party risk management program, particularly on activities related to your critical third parties.

But what does board third party risk management reporting actually look like in the real world?

Board Vendor Management Meetings

For starters, you should carefully evaluate which meetings need to be established or which ones you should regularly attend. You need to establish a sustainable, repeatable circuit of meetings – perhaps...

  • update your risk committee monthly
  • update your board quarterly
  • if something dramatic occurs, know which group of people to update on those details

You should make sure that all of this is captured in writing – the guidelines should be spelled out in your third party risk management program and clear in your company’s enterprise risk policy. It’s not enough to simply submit a packet of reports, you should have evidence of the discussion in the minutes of the meeting.

Vendor Management Reports for the Board

You'll want to submit particular reports to the board to make sure they are kept in the loop and involved. Examples of reports/information to share include:

  • Total inventory of third parties. It's important to make sure you've got all of the ones you need to actively manage.
  • Listed new vetted and approved third parties. Include newly approved parties, proposed new parties and their relative risk.
  • Listed terminations of third parties. Whether it's a recommendation to terminate or recent actions, be sure to include.
  • Describing any significant changes of third parties. Focus on high risk third parties or ones with significant changes.
  • Number of critical vs non critical third parties and any changes. When things change, it means that there is an issue demanding your attention to see if it changes your feeling on the overall relationship.
  • Risk assessment ratings of the third parties – how many high, medium or low? And changes. Report out how many are critical or not; how many are high risk.
  • Number on active monitoring programs and some relevant statistics. Tailored ongoing monitoring is crucial to stay abreast of potential concerns.
  • Contracts up for renewal/non-renewal in next 12 months. Be sure you have plenty of time to review before a contract renews.
  • Any new enforcement actions or relevant news on your third parties. Who's in the headlines and why?

Make sure you are able to discuss all of this information. Again, besides being a regulatory requirement, one of the best ways of getting the full support of your board and senior management is to keep them regularly updated.

Download our infographic to learn more about preparing board report packages.

Regulatory Developments Impact Your Next Vendor Management Exam eBook

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog