Creating Awareness of Third-Party Risk Management Within Your Organization
Creating third-party risk awareness is important.
Listen to learn tips for fostering a third party risk management mindset within your team and organization. Our CRO tells you how to create third-party risk awareness, important members of your company to involve and who the third party risk responsibility lies within every organization.
Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder.
Today we’re going to talk about creating awareness of third-party risk management program within your organization. It’s a topic that I’ve been asked about several times, particularly at mid-sized companies where there are so many competing priorities.
I know that after an enforcement action, it’s easy to have the undivided attention – perhaps in a negative way – on third-party risk management if that was a contributing factor to the enforcement action. However, the better approach, of course, is to have a much more proactive stance on third party risk so you’re not doomed to reach that point.
So, how do you create this type of awareness? Well, I honestly believe the regulators understand that challenge well and is one of the reasons that the OCC and the FDIC, in particular, have emphasized the need for board and senior management involvement.
If we’ve learned anything from some of the major enforcement actions recently, it’s the need to have a culture of compliance. You need to have a tone from the top so that everyone understands that each and every employee has a role in creating and maintaining the culture. In third-party risk management, that means that everyone who has even the casual involvement with an outsourced service provider knows their responsibilities to support third-party risk – they should know where, when and how they need to be involved, they should understand when to engage compliance or third-party risk, and they should know where the handoffs occur.
Beyond the tone from the top, I believe it’s easy to reinforce through a steady stream of communications from third party risk, so that it’s not a once a year audit or vendor due diligence exercise but an ongoing understanding of the dialog that needs to take place. Whether it’s hosting lunchtime education sessions, informal discussions, fun quizzes and contests, there are a variety of ways to keep third-party risk in everyone’s daily thought processes.
If you make it interesting and fun, the average employee is much more likely to engage – if they see it as a burden to their job, then you’ll never get their buy-in. If you work in an environment of open dialog and trust, it makes it much easier. And if you periodically say “thank you” or recognize a job well done or simply ask what you can do to make it easier, you’ll have the game won.
Third-party risk management belongs to nearly everyone, just like compliance. Your board can help, certainly, but the more you make it a meaningful and interesting discussion, the better off you will be.
Again, I’m Branan and thanks for tuning in to this week’s third party Thursday. If you haven’t already done so, please subscribe to our series.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources, and more to your inbox.