A vendor management policy is a document that informs senior management and the board about the activities provided in the vendor management program. A well-written vendor management policy is the foundation of a strong vendor management practice. It’s really where it all begins.
The policy identifies who is responsible for vendor management as well as acknowledges regulations, identifies elements of managing vendors, broadly outlines concepts of due diligence, risk assessments and more and identifies how you keep the senior management team and board informed. The policy is one of three documents we recommend creating and maintaining for a well-organized vendor management system. The three documents include the policy, program and procedures. For today’s discussion, let’s focus solely on the policy.
Writing the Policy
Remember these tips when writing the policy:
- The policy should be written at a board of director's level and should be fairly familiar to them. They need to be actively involved in vendor risk management, so this document should explain how to be involved and allow them to then set the "tone from the top" to empower senior management and the lines of businesses to enact the program and procedures.
- The policy should reference the appropriate regulatory guidance.
- In high-level terms, it should cover each of the pillars of third party risk management; the program documentation will later expand on each of these.
- It should be a short and concise document, perhaps 6 or 7 pages, and appropriate for executive level discussion.
Typically, the policy is also one of the first documents provided to examiners or auditors during a review of the third party risk management practices, so be sure to spend adequate time on the development of your policy.
Sections within the Policy
Often times, the policy includes the following sections:
- An overview of the vendor risk management framework
- The purpose of third party risk management at your organization
- High-level details regarding each of the key functions such as selecting a vendor, analyzing risk, ongoing due diligence monitoring and other areas of third party risk management
- Applicable regulatory guidance citations
- Addresses the relationship to other areas of the risk management and compliance management practices
Involving Your Team
The policy should involve the input of subject matter experts from around the organization but for consistency of tone, language and content, it should be ultimately written by one author. It usually takes several rounds of revisions to get it right, but it's quite important to make sure it's accurate and sets the right framework for the organization.
Involving the Board
Once written and finalized, take the time to educate the board of directors on it and ensure they understand their vital role in its success. Remember, you should have the policy formally approved by the board of directors. Track this by date stamping the document and reflecting the approval in board meeting minutes as well. Keep in mind, it’s vital to update annually or as guidance changes to keep the policy as current as possible. With each update, you’ll want to regain their approval.
Rolling Out to the Organization
Consistent with the manner in which you introduce other compliance and risk policies to your broader organization, the third party risk management policy should be shared with anyone involved in vendor management. Consider holding education sessions or "did you know?" luncheons with key members of the staff. Provide feedback and encourage input – after all, everyone has a role in compliance and risk management.
See how your peers are handling vendor risk management. Download the whitepaper.