How to Level Up Your Third-Party Risk Management Compliance

Level 1: Centralize Your Vendor Contract Inventory

You might be thinking this is an obvious recommendation, but it’s still a huge pain point for many risk professionals who have endless amounts of documents filed away. After years of signing paper and digital vendor contracts, it’s often a major project to simply sort through and identify all the outsourced relationships in an organization. It’s a time-consuming process, but it must be done.

This is the fundamental “step one” for any organization to get a centralized repository for tracking and managing contracts. You can’t fully solve a problem without knowing what you’re working with and any regulator who knows anything about third-party risk management will want to see that you understand your outsourced relationships.

Here are two simple steps to achieve this:

1. Store your contracts in a single place. Organizing and centralizing your contracts in one location will help you catch any potential issues associated with outsourcing. At the very least, you should have a complete and updated list of your vendor engagements.
2. Keep track of contract key terms/dates and internal ownership. It’s essential to have a holistic understanding of your vendor inventory so you can better leverage your third parties and know what risks they pose. Each industry will have different requirements for third-party risk management programs, but this awareness of a vendor environment is a best practice for every organization.

This brings us to our next level of third-party risk management maturity…

Level 2: Determine Vendor Risk and Criticality Metrics

Now that you’ve centralized your vendor contracts, you’re expected to understand where you might encounter issues. If your vendor inventory and/or contract inventory is on the smaller side, you’re in luck. It’s easier to manage data and keep an eye on things when you only have a handful of vendors in your inventory.

However, you’re looking at a bigger job when you’re dealing with dozens or hundreds of vendors. If that’s the case, you’ll need to have a repeatable and reportable process to sort and filter them, as some vendors will need more attention than others. This is when it helps to have a methodology for rating a vendor’s inherent risk and criticality.

Here are a few key areas that your regulator will want to evaluate, as the relate to your vendors:

• Criticality – How much will this vendor’s business interruption or failure affect your organization or its customers?
• Data sharing/customer information – Does this vendor have access to customer data?
• Customer interaction – Does this vendor have direct contact with your customers?

As we mentioned before, each industry is different, and some will require more details. But overall, you’ll need to have a quick and easy process to understand what your vendor does, whether they’re critical and how much inherent risk they carry.

When it comes to compliance, your organization is responsible for making sure any outsourced endeavor continues to meet the regulatory expectations of YOUR organization… not the vendor. For example, let’s say you’re in an industry that has specific data protection regulations. It’s unlikely that every single one of your vendors will be regulated by those same standards. However, it’s your responsibility to ensure the vendor is complying if they handle your information.

Level 3: Hold Your Vendors Accountable

The only way to hold vendors accountable is by getting to know them by conducting risk-based due diligence. This means that you use the vendor’s inherent risk and criticality metrics to guide and prioritize your efforts. There’s a lot of gray area here, as there are many different ways to go about it. The good news is that as long as you’re sticking to the spirit of the rule (and can prove and justify your business decisions) you’re probably in the clear.

Generally speaking, your contracts need to have adequate terms in place, and you should make sure vendors are meeting the standards of that contract. Have a process in place for escalating and reporting situations where vendors aren’t complying, especially if their non-compliance is persistent.

There is an added element here for what we like to call “minimal” due diligence – which is basically the fundamental baseline check that you do for any vendor you engage to provide products or services. Here’s an example:

Make sure to:

1. Validate that they are, in fact, a legit business
2. Check OFAC list, CFPB Complaint Database and BBB for any negative news
3. Establish that they’re in regulatory good standing themselves (in their industry)
4. Assess financial and reputational health

The due diligence process can be challenging, so it helps to have a documented requirement that states what information is needed. It’s also important to dedicate resources to managing this process on an ongoing basis.

Despite their expectations, only a few regulators provide specific details on how to handle third-party risk management. Therefore, it can be a little tough to navigate what you’re responsible for when it comes to compliance. Furthermore, each regulation puts emphases on slightly different things. Regardless of your industry, the best approach is to get a feel for “best practices.”