One of the most difficult parts of third party risk management - or perhaps the most anxiety-laden – is the idea of being exam ready at all times. To do so, one needs to figure out what the examiners might reasonably expect to see.
3 Main Examiner Expectations
Here are 3 main examiner expectations:
- All Documents are Current – The examiner will want to see that all your documents are current and easy to find. For example, if your policy is to be reviewed by the board on an annual basis, make sure you've got clear evidence (i.e., a footnote saying "board approved 4/2018" and meeting minutes to support it) that it's been done in the past 12 months. I know that sounds like a no-brainer, but board meetings are always action packed and things could slide inadvertently.
- Correct and Updated Guidance Citations – The examiner will check to see that you take regulatory guidance into account throughout your vendor risk management program. It's always worth double checking to make sure you haven't missed a critical piece of information in guidance. There's a lot out there, so taking the extra time is important.
- Understanding the Scope of the Exam – The examiner will assume you understand what they are there for and need. If the examination is coming up and you've received the initial notification letter or request for information, be certain you understand the scope and have a firm grasp of what items they are expecting. It's worth bouncing it off someone else in your organization – perhaps the compliance officer or legal counsel – just to make sure you're on the same page. If there's any doubt, even the least little bit, circle back with the examiner and ask for clarification.
7 Tips Once the Examiner Is Onsite
Once the examiner is onsite, here are some tips to follow:
- Establish a good working relationship with the examiner as the examination unfurls.
- Educate them on how your processes work and what you're trying to accomplish – that's particularly important if things have changed since the last exam.
- Have documentation that clearly demonstrates that your work product matches what is outlined in your policy and program documents – believe me, I've been guilty of having work product that is all well and good, but drastically different than what I'd carefully laid out in the program documentation and that's a huge "no, no”. Keep the documentation and the work product in sync.
- Make sure you have evidence, particularly if there are gaps. For example, if you’re missing due diligence items, show proof of the attempts to gather information. Even routine emails can clearly show your efforts to collect the necessary due diligence or minutes from risk committee meetings where you've updated senior management on your progress.
- Carefully relay information to other departments on how the examination is going and clearly communicate your expectations or needs in terms of their level of involvement.
- Assure the examiners that you'll get them the information they need in a timely manner and then deliver on it.
- As issues arise, deal with them in an organized manner and set clear expectations around timeframes for follow up and even remediation, if needed.
After the You Receive Exam Results
Once you have your examination results, the examiner expects you to thoroughly review and implement any necessary changes. This feedback is critical and should not be taken lightly. Exam time can be stressful but with a little preparation and a lot of documentation, you'll be ready to handle it.