It’s the last month of the year! When you leave behind 2018, don’t leave behind third party risk management best practices though. We have the top 10 vendor risk management best practices to take with you into 2019. Check them out below!
Vendor Risk Management Best Practices for 2019
Here the top 10 are:
- Develop and document a firm set of third party risk management practices – policy, program and procedures. Be sure to revisit the documentation as guidance changes.
- Require that your third party risk policy and program receive annual approval from the board of directors. Your examiner will likely want to see the approval date and any discussion of it in the meeting minutes.
- Define standards for selecting a new third party and ensure the business units understand their vital role. Have a list of due diligence requirements that must be obtained and reviewed when vetting a vendor during the selection phase. Keep the business units informed at all times by outlining their roles in the procedures, continuing education and inviting them to meetings that can affect their roles and responsibilities.
- Review your vendor list. Understand your current vendor profile by requesting your vendor list from Accounts Payable and reviewing it on a regular basis. Ensure you have a firm understanding of who is actively managed and who is not – and note any reasons for exclusions – and who your critical, high, medium and low risk vendors are.
- Create a robust set of due diligence procedures, coupled with well-documented analyses. Ensure that your document collection is comprehensive and that the artifacts gathered are thoroughly analyzed by experienced subject matter experts (SMEs).
- Involve SMEs from around the organization, or even externally, to help with the review of complex matters like business continuity plans and cybersecurity initiatives. If you don’t have a SME at your organization who can perform a thorough, well-developed review of a vendor’s due diligence when necessary, outsourcing to a third party expert can often save time and guarantee work product that is high quality.
- Assess the risk of doing business with each vendor, paying close attention to both the business impact risk and the regulatory risk implications. The business impact analysis will determine if the vendor is critical or non-critical to the organization. The regulatory risk analysis determines if the vendor is low, medium or high risk based on criteria such as strategic, transactional, operational risk and more. It’s important to understand both levels for each vendor.
- Implement strong vendor contract management practices. A good practice is to keep it centralized with accurate tracking of key dates and terms so that a renewal/termination notice period or important date is not missed.
- Establish manageable and sustainable ongoing monitoring techniques tailored to the risk associated with the product or service. Not all vendors are created equal. Due to this, it’s imperative to no longer have a “check-the-box” mentality. Establish guidelines to monitor each vendor relationship that are unique to the product/service and the level of risk posed.
- Update all vendor documentation on a regular basis along with internal reports. Ensure that the frequency of updates is dictated by the level of risk represented by the specific product or service. Establish scalable processes for conducting a new risk assessment, ongoing monitoring/due diligence and contract structuring so that you can more easily make these updates.
These top 10 best practices will help you get the right foot forward when heading into 2019.
Understand the state of vendor risk management in 2019. Download the whitepaper now.