Compliance is one of those business activities that can often feel like a juggling act. Not only do you have to ensure that your organization is complying with industry regulations and state and federal laws, but you also need to keep an eye on your third parties.
Whether you’re an expert in the topic or a complete beginner, very few people enjoy this tedious process. Even if you’re one of the lucky few to be in an industry with clear-cut regulations that are well-communicated, there’s probably some red tape that makes compliance a difficult job.
Third-party risk management seems to be one of those areas that people scratch their head wondering:
We all want to protect our organizations from third-party risk, but how far do we really need to go? After all, there’s no such thing as an endless budget, especially for non-revenue-generating functions like risk management. This dilemma often boils down to the basic question of: “How much money do I really need to throw at this problem to make sure I’m compliant?”
Let’s start with the bare minimum. From there, we’ll “level up” and work our way into the details of what a more mature third-party risk management program entails.
Level 1: Centralize Your Vendor Contract Inventory
You might be thinking this is an obvious recommendation, but it’s still a huge pain point for many risk professionals who have endless amounts of documents filed away. After years of signing paper and digital vendor contracts, it’s often a major project to simply sort through and identify all the outsourced relationships in an organization. It’s a time-consuming process, but it must be done.
This is the fundamental “step one” for any organization to get a centralized repository for tracking and managing contracts. You can’t fully solve a problem without knowing what you’re working with and any regulator who knows anything about third-party risk management will want to see that you understand your outsourced relationships.
Here are two simple steps to achieve this:
- Store your contracts in a single place. Organizing and centralizing your contracts in one location will help you catch any potential issues associated with outsourcing. At the very least, you should have a complete and updated list of your vendor engagements.
- Keep track of contract key terms/dates and internal ownership. It’s essential to have a holistic understanding of your vendor inventory so you can better leverage your third parties and know what risks they pose. Each industry will have different requirements for third-party risk management programs, but this awareness of a vendor environment is a best practice for every organization.
This brings us to our next level of third-party risk management maturity…
Level 2: Determine Vendor Risk and Criticality Metrics
Now that you’ve centralized your vendor contracts, you’re expected to understand where you might encounter issues. If your vendor inventory and/or contract inventory is on the smaller side, you’re in luck. It’s easier to manage data and keep an eye on things when you only have a handful of vendors in your inventory.
However, you’re looking at a bigger job when you’re dealing with dozens or hundreds of vendors. If that’s the case, you’ll need to have a repeatable and reportable process to sort and filter them, as some vendors will need more attention than others. This is when it helps to have a methodology for rating a vendor’s inherent risk and criticality.
Here are a few key areas that your regulator will want to evaluate, as the relate to your vendors:
As we mentioned before, each industry is different, and some will require more details. But overall, you’ll need to have a quick and easy process to understand what your vendor does, whether they’re critical and how much inherent risk they carry.
When it comes to compliance, your organization is responsible for making sure any outsourced endeavor continues to meet the regulatory expectations of YOUR organization… not the vendor. For example, let’s say you’re in an industry that has specific data protection regulations. It’s unlikely that every single one of your vendors will be regulated by those same standards. However, it’s your responsibility to ensure the vendor is complying if they handle your information.
Level 3: Hold Your Vendors Accountable
The only way to hold vendors accountable is by getting to know them by conducting risk-based due diligence. This means that you use the vendor’s inherent risk and criticality metrics to guide and prioritize your efforts. There’s a lot of gray area here, as there are many different ways to go about it. The good news is that as long as you’re sticking to the spirit of the rule (and can prove and justify your business decisions) you’re probably in the clear.
Generally speaking, your contracts need to have adequate terms in place, and you should make sure vendors are meeting the standards of that contract. Have a process in place for escalating and reporting situations where vendors aren’t complying, especially if their non-compliance is persistent.
There is an added element here for what we like to call “minimal” due diligence – which is basically the fundamental baseline check that you do for any vendor you engage to provide products or services. Here’s an example:
Make sure to:
- Validate that they are, in fact, a legit business
- Check OFAC list, CFPB Complaint Database and BBB for any negative news
- Establish that they’re in regulatory good standing themselves (in their industry)
- Assess financial and reputational health
The due diligence process can be challenging, so it helps to have a documented requirement that states what information is needed. It’s also important to dedicate resources to managing this process on an ongoing basis.
Despite their expectations, only a few regulators provide specific details on how to handle third-party risk management. Therefore, it can be a little tough to navigate what you’re responsible for when it comes to compliance. Furthermore, each regulation puts emphases on slightly different things. Regardless of your industry, the best approach is to get a feel for “best practices.”
These three steps are a solid foundation to level up the compliance in any third-party risk management process or program. This is a complex business, but with those three bases covered you should be on your way to establishing a risk program with solid legs… and room for growth!