Exercise more, lose a few pounds, adopt a new hobby and spend more time with family and friends are all common New Years Resolutions.
Instead of losing weight for 2018, we've decided to focus on 10 vendor management New Years resolutions that will be easier to keep!
- Have a well-documented policy and program for vendor management. Remember to follow the fundamental principles whilst creating these documents, or revising your current policy and program. They may be unique documents, but should correlate heavily. The policy is board level and apppropriately high level, while the program is senior management level and more instructive. And, make sure to review annually and as regulations change.
- Ensure your vendor management practices cover all of the pillars of the regulatory guidance. There are a number of key concepts that must be understood, documented and, most importantly, put into practice to have an effective third party risk management program. These are what we call the 6 vendor management pillars. They are: selecting a vendor, risk assessment, due diligence, contractual standards, reporting and ongoing monitoring.
- Be responsive to audit recommendations. It's a good idea to implement the feedback that you recieve from the auditors - they're trying to keep you in line with current regulatory compliance. It's also a good idea to perform mock audits regularly.
- Keep your vendor list current and updated. You should be reviewing your vendor list at least twice a year. Develop and document your company's vendor list creation and ongoing monitoring and vendor maintenance processes so that everyone is on the same page.
- Have solid due diligence practices. As you know, proper vendor due diligence is a huge part of third party risk management. Would you want to do business with a vendor whose system crashes and doesn't have a business continuity or disaster recovery plan in place? It's best to conduct thorough due diligence before going into business with a vendor in order to avoid issues that could put you and your clients at risk.
- Keep your risk assessments up to date and well-written. In light of the many data breaches in 2017, does your risk assessment include looking for cyber and information security measures? Stay up to date on the latest risk management issues so that you can adjust your risk assessment procedures to make sure you cover all the bases.
- Involve senior management and your board regularly. Your board needs a high-level synopsis of your activities. A good way to keep them informed is to put together a monthly report for them that includes any monthly metrics they might want, total number of third parties, total number of third parties sorted by risk rating, due diligence completed and in process, ongoing monitoring activities and contract management items that need attention.
- Work closely with the lines of business. Make sure they understand their role in effective vendor management. A good working relationship really helps to ensure they “have your back” when needed and are also more likely to notify you when problems occur, before they reach a crisis.
- Stay abreast of ongoing monitoring and contract deadlines. The regulators expect that you have an oversight program in place that includes monitoring of your third parties. Make sure to continuously monitor vendors' quality of service, risk management practices, financial condition and applicable controls and reports - and contracts, too!
- Create and test your cybersecurity and business continuity plans. Do you know what measures you should have in place in the event of a breach? The FFIEC Cybersecurity Assessment Tool and IT Examination Handbook are good places to start.
That’s it – 10 vendor management best practices and tasks that will keep you in good shape throughout 2018. Happy New Year everyone!
Learn more best practices of good vendor managers, download our infogrpahic.