What Vendor Management Information Should I Be Reporting?

Vendor management reporting to the board and/or senior management isn’t only a best practice used to inform and drive action, but it’s also a regulatory requirement. Guidance such as OCC Bulletin 2013-29 and FDIC FIL-44-2008 outline these reporting responsibilities.

After you’ve gathered your vendor information, how should you prepare it for reporting? Let’s review some key components around reporting including frequency and what to include.

Frequency & Format of Your Vendor Reporting

The exact frequency of your reporting will depend on the details of which you’re providing and the audience, but keep in mind that you should adhere to a regularly scheduled recurring basis. Quarterly reporting may be appropriate for your audit committee or board, while monthly or more frequent reporting might be performed for your risk or compliance committee. Always make sure to note this frequency in your minutes.

Consider creating your report in an easy-to-follow PowerPoint or Word format, with each page dedicated to a fundamental activity. Any significant matters involving critical or high-risk third parties should also be highlighted.

Types of Information to Include in Vendor Reporting

To create your report, begin with a cover page or title slide with your company information. Next, include pages covering the following:

1. Overall inventory of third-party vendors (e.g., total number of actively managed vendors, percentages of critical vs. non-critical, etc.)
2. An overview of any new or changing regulatory requirements requiring changes in your governance documents, processes or procedures.
3. Summarized due diligence and vendor selection information such as current and ongoing vendor selection processes and where each is in the process
4. Information regarding risk assessments like the total number of third parties that have risk assessments in progress, total number of risk assessments completed since your last meeting, etc.
5. Any vendor risk issues such as significant vendor changes, issues the board should be aware of, concerns with the contract and other pertinent information
6. A reporting timeline that shares the timeline of the reports and meetings you’re currently delivering to your business lines or vendor owners, senior management team and any committee who should receive regular reporting
7. Industry highlights related to third-party risk management (e.g., big news headlines)

End the report with a closing to wrap up. Be sure to provide your contact information in case anyone has questions.

Repeat vendor risk management reporting as needed to ensure your organization’s leaders stay well informed of emerging risks and activities. Accurate, easily digestible, timely and accessible reporting will provide them with the information needed to make strategic decisions and improvements that will propel your organization to success.