Reporting to senior management and/or the board is not just a good practice; it’s actually a requirement of regulatory guidance. So, what should you prepare in terms of a report?
Frequency & Format
Typically, reports should be on a regularly scheduled recurring basis – perhaps monthly to your risk or compliance committee (and make sure it’s captured in the minutes!!!) and quarterly to your audit committee or board.
The typical report is in an easy to follow PowerPoint or Word narrative. A best practice is to dedicate a page of the report to each of the fundamental activities and particularly to highlight any significant matters involving your critical or high risk third parties.
Information to Include
The report might start out with a cover page on your total inventory of actively managed third parties, followed by:
- A page on the overall status of assessing risk (perhaps a pie chart showing how many critical and non-critical or high/medium/low third parties)
- A page on due diligence (how many, upcoming, any overdue or missing items)
- A page detailing the ongoing monitoring activities
- A page on contracts (upcoming renewals or terminations, any notable problems with critical or high risk third parties)
- A page showing upcoming updates to various committees, helping to demonstrate keeping management adequately informed in an ongoing manner
As the shampoo bottle says, repeat as needed.
And, make sure you save copies of prior reports so it’s easy to demonstrate that you’ve done reporting on a regular basis.