Board Oversight in Third-Party Risk Management and Regulatory Exams

Podcast Transcript

Hi – this is Ramin with Venminder.  

In this podcast, you’ll learn all about your board of directors’ responsibilities and obligations when it comes to third-party risk management and regulatory exams.  

At Venminder, we offer the expertise of qualified third-party risk management professionals that assist organizations in understanding regulatory guidance and achieving compliance in their third-party risk management programs. 

You may already know that your board of directors is responsible for high-level corporate activities and performance oversight, but did you know they also play an important role in third-party risk management? This is especially true when it comes to regulatory exams. 

Keep in mind that regulatory examiners expect your board will ensure the following:

• First, that third-party relationships are consistent with your organization’s strategic goals and risk appetite and also in compliance with all laws and regulations.
• Second, that management has taken appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified. 
• And third, that there is appropriate periodic reporting on the organization's third-party relationships.
  
  This includes the result of things such as:
  
  • Management's planning 
  • Due diligence that is performed on vendors  
  • Contract negotiations  
  • And any ongoing monitoring activities performed on those vendors and third parties  

Typically, after a regulatory examination, management and the board of directors are informed of the results, but third-party risk management professionals should go a step beyond that. The board should receive appropriate reporting and information consistently. That is not limited to just audits or regulatory examinations.

By regularly reporting to the board, material third-party risk management issues can be addressed quickly. That can prevent them from being a finding in a regulatory exam after the fact.

So, what kind of reporting should third-party risk management professionals provide to management and the board? Here are four tips to help you out:

1. First, for starters, the board should be provided with a regular list of all critical relationships with your third parties and vendors. This includes:
    
   • The vendor’s product or service provided
   • Who owns the vendor relationship
   • The results of due diligence performed on the vendor or third-party  
   • And risk performance monitoring of that critical third party or vendor 
     
     
   It’s also important to list the current status of the contract with the vendor or third-party and when it will be up for review or renewal within your organization.
   
   
2. A second tip in addition to that first one is that you should also provide a report detailing internal compliance with the third-party risk management policy. You should also note if there have been any exceptions or issues that need to be reported on. 
   
   
3. A third tip is that the board should also receive a report on any material third-party issues that you’ve identified. Do not limit this to just critical relationships you are monitoring and performing due diligence activities on. Any third-party issue can impact your organization's compliance, finances, risk profile, and reputation. It can also negatively impact your customers. Those should be reported to your board as well.  
   
   
4. And the fourth and final tip is that your organization should provide all these reports at least on a quarterly basis or a quarterly cadence or more frequently if your management and board decides to provide them on a monthly or more regular basis.  

After all this, you may be wondering what to tell the board if there are findings or issues in your regulatory exam or audit.

If there is a finding or issue in your regulatory exam or audit, the board will need reporting on the following:

• First, the progress of specific issue mitigation 
• Second, next steps 
• Third, who is in charge of this and who has ownership over these next steps
• And finally, the time frame for completion 

Keep in mind that a regulatory examiner will expect that these reports are given to the board as well. The board should then take action and hold management accountable for issue remediation. It’s also important to note that at least once a year, the board should receive a more comprehensive report and review detailing the state of third-party risk management program within your organization.

Scheduling your annual third-party program review at the same time you ask your board to review and approve your third-party risk management policy is a great way to ensure your board has the in-depth information they require to ensure they’re meeting regulatory expectations.

In conclusion and summary, your board has the ultimate accountability for your organization’s third-party risk management program. They depend on relevant and timely reporting to inform their actions and decisions. This is especially the case when it comes to regulatory exams and audits. Be sure to provide your board with appropriate information and reporting so that they can stay in the know, provide adequate oversight, and ensure regulatory compliance. Thank you for joining Venminder on this podcast and stay tuned for more helpful information you can use within your third-party risk management program. Take care.