Reporting to senior management and/or the board is not just a best practice; it’s actually a requirement of regulatory guidance. Review guidance like OCC Bulletin 2013-29 or FDIC FIL-44-2008 to learn more.
So, what should you prepare in terms of a report?
Frequency & Format of Your Vendor Reporting
Typically, reports should be provided on a regularly scheduled recurring basis – perhaps monthly to your risk or compliance committee and quarterly to your audit committee or board. Make sure this is all shown in minutes!
The typical report is in an easy-to-follow PowerPoint or Word narrative. I recommend you dedicate a page of the report to each of the fundamental activities, and particularly to highlight any significant matters involving your critical or high risk third parties.
Types of Information to Include in Vendor Reporting
The report might start out with a cover page on your total inventory of actively managed third parties, followed by the following 7 pages:
- A page on the overall inventory of third party vendors
- A page on the overall status of assessing risk (e.g., perhaps a pie chart showing how many critical and non-critical or high, medium and low third party vendors)
- A page on due diligence (e.g., how many documents, upcoming due diligence and any overdue or missing items)
- A page detailing the ongoing monitoring activities (e.g., what your team is doing to meet this critical expectation)
- A page on contracts (e.g., upcoming renewals or terminations, any notable problems with critical or high risk third party vendors)
- A page on any major changes with high-risk and/or critical third party vendors
- A calendar showing upcoming updates to various committees, helping to demonstrate keeping management adequately informed in an ongoing manner
As the shampoo bottle says, repeat as needed. This also goes for your vendor risk management reporting.
Take a deeper dive into the different due diligence reports. Download the eBook now.