9 Tips to Prepare for a Third-Party Risk Examination
Preparing for third-party risk exams aren't a walk in the park - but it can be.
Don’t panic about the notification of a third party risk exam - we can help you be ready. Three to four months in advance of the examiner's arrival, you should prepare or fine-tune the 9 following documentation items. Listen to this vendor risk management podcast to learn more.
Hi Everyone and thank you for joining me today for our Third Party Thursday podcast. I’m Alicia Thomas, Senior Relationship Manager here at Venminder.
Today’s topic is regarding tips for preparing for a vendor management or third party risk examination. I hope you find this information to be beneficial as you prepare for your next one. These are the pointers I’ve found to be very helpful for a smooth exam.
Ideally, 3-4 months in advance of the examiner's arrival, you should prepare or fine-tune the 9 following documentation items:
- Your vendor management program and supporting documentation. Make sure the documents are board approved, that they can contain regulatory guidance citations and align with the actual work product being produced.
- Prepare an organization chart and bios of key organization members involved in third party risk management. The examiners will likely want to see their qualifications and experience.
- Pull a complete inventory of your third parties. Be prepared to include samples of the due diligence being performed, risk assessments and ongoing monitoring activities. It’s recommended to take a risk-based approach to prepare the inventory.
- Have complete critical and high risk third party samples on file.
- Be sure to have adequate reviews of reports such as SOCs, business continuity plans and financials. Make sure these due diligence documents are the most current and that the analyses are on file too.
- Have evidence that you’ve been keeping senior management and the board informed. Have copies of the reports themselves as well as minutes of the meetings on hand.
- Show that there is a process in place to alert you of key dates. Examples include upcoming contract renewal notice periods or termination dates.
- Begin preparing for any pre-examination requests or initial document requests. If the examiners gave you a pre-arrival request list, be sure you’re ready with the items you know they are going to request. It’s always a good idea to have an additional person in your institution, perhaps someone in compliance, audit or risk management review the list as well to ensure that the requests are fully understood and the items you are handing over are the correct ones to be responsive to the request. If you’re unsure, it’s always better to clarify than to hand over something hoping that it meets the needs.
- Be sure to have documentation showing how you remediated prior exam findings.
Don’t panic about the notification of the exam. As long as you and your team are doing your best to prepare the above documentation in a thorough, efficient and timely manner, you’ll be ready to go by the time the examiners arrive. In order to prepare for their arrival day, be sure you let them know you’ve received their notification and are prepared for their arrival. Also, be sure to schedule an agreed upon time of arrival and give them instructions on where to go.
Internally, make sure your organization knows what to expect and where the examiners will be. This will help to set the overall ground rules for colleagues. While it may seem like a given, still let them know it’s important to always be professional, polite and encourage that they do not have impromptu meetings alone with the examiners.
Now relax! You’ve done a lot of work and research to prepare for the exam.
I hope you found this podcast helpful. Again, I’m Alicia Thomas, Senior Relationship Manager here at Venminder. If you haven’t already done so, please subscribe to our Third Party Thursday series.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.