How to Level Up Your Third-Party Risk Management Compliance

Level 1: Centralize Your Vendor Contract Inventory

Many third-party risk management professionals struggle with this task, simply because of the sheer number of vendor documents that have been filed away throughout the years. But before you can begin managing third-party risk and compliance, you must be able to identify all your organization’s outsourced relationships. 

Obtaining a centralized repository for tracking and managing contracts is generally considered a fundamental “step one” for any TPRM program, and regulators will expect this at a bare minimum. 

Here are two simple steps to achieve this:

1. Store your contracts in a single place. Third-party risk management compliance will be much easier when you organize your vendor contracts in one location. This helps you identify any potential issues more quickly than if your contracts were dispersed across different locations. At a minimum, make sure to have a complete and updated list of your vendor engagements. 
   
2. Keep track of contract key terms/dates and internal ownership. When you have a holistic understanding of your vendor inventory, you can better leverage your third-party relationships and understand what risks they pose. Each industry will have different compliance requirements for this area, but it’s always a best practice to have awareness of your vendor environment.

This brings us to our next level of third-party risk management compliance.  

Level 2: Determine Vendor Risk and Criticality Metrics

After you’ve centralized your vendor contracts, it’s time to figure out where you might encounter issues that can negatively impact your organization. This requires careful managing and monitoring of data, which is significantly easier to do if you have a smaller vendor/contract inventory. 

However, consider the effort that’s required if you’re dealing with dozens or hundreds of vendors. In this case, you’ll fare much better by having a repeatable and reportable process that sorts and filters your vendors. Some vendors will need more attention than others, so it helps to have a method in place that can accurately rate a vendor’s inherent risk and criticality. 

Here are a few key areas that regulators will want to evaluate about your vendors: 

• Criticality – How much will your organization or its customers be impacted if the vendor were to fail or be disrupted?
  
• Data sharing/customer information – Does this vendor have access to customer data?
  
• Customer interaction – Does this vendor have direct contact with your customers?

Each industry will have different compliance requirements, with some regulators asking for more details. When you have a quick and easy process that identifies a vendor’s criticality and inherent risk, you’ll be better prepared to satisfy regulators.  

Level 3: Hold Your Vendors Accountable

This will probably be the most challenging step because it requires some participation from your vendors, who may not always prioritize the same goals. When it comes to third-party risk management compliance, your organization is ultimately responsible for meeting regulatory expectations both internally and within your vendor relationships.

For example, let’s say you’re in an industry that has specific data protection regulations. It’s unlikely that every single one of your vendors will be regulated by those same standards. However, it’s your responsibility to ensure the vendor is complying if they handle your information.

The best way to hold vendors accountable to regulatory expectations is to conduct risk-based due diligence. This simply means that you’ll use the vendor’s inherent risk and criticality to guide and prioritize your due diligence reviews. 

Due diligence is a highly complex process, but let’s just focus on some of the fundamentals for now. The following elements are often considered “minimal” due diligence:

1. Validation that the vendor is a legitimate business.
2. A review of OFAC, CFPB Complaint Database, and BBB for any negative news.
3. Proof that the vendor is in regulatory good standing for their own industry.
4. An assessment of its financial and reputation health.

The due diligence process can be challenging, so it helps to have a documented requirement detailing the information required based on the risks identified. It’s also important to dedicate resources to manage this process on an ongoing basis.

Vendor accountability should also involve the use of proper contract management. You’ll need to make sure that vendors are meeting both contract standards and regulatory standards. This can be done by implementing a process for escalating and reporting non-compliance.

Over the years, regulators have become slightly more detailed in their TPRM expectations. Still, the progress is gradual, and it can be tough to navigate your responsibilities when it comes to third-party risk management compliance. Each regulation often has different priorities, so the best approach is to get an understanding of industry best practices.