Welcome to today’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder. Today we are going to talk a little bit about third party risk exam preparation.
The best strategy for preparing for an examination is to constantly be ready – that means preparing well ahead of time and keeping everything up to date. Ideally, this means several months before any potential exam, you’re already preparing as though it’s getting ready to happen and then staying at that levels of readiness.
So, what items should you have in your examination preparation playbook? Let’s take a look:
- A thoroughly documented set of policies and procedures describing your third party risk management program in detail. These documents should be board-approved, accurate in terms of outlining the actual work product and cite relevant regulatory guidance or consumer protection laws. Be sure they are updated regularly when guidance changes or when particular situations warrant. Stick to a schedule of having them reviewed and approved annually.
- A complete inventory of all your institution’s third parties, including robust due diligence, well-written risk assessments and records of ongoing monitoring activities. This should also be accompanied by a process for identifying new third parties prior to a contract being executed and also defined in terms of the scope of what third parties need to be actively managed.
- A risk-based approach to due diligence, complete with all of the relevant documentation. At a minimum, for your critical third parties, you should have up-to-date financials (with corresponding analysis), SSAE 18 reports with accompanying controls, a robust business continuity plan detailing the roles of the third party and the institution, complete information security analysis to safeguard your customers’ data, foundational documents (such as articles of incorporation, secretary of state check, insurance certificates, and any required licensing) and an accurate and actionable exit strategy.
- A complete set of risk assessments on your third parties demonstrating that you have carefully considered all of the potential risks associated with doing business with this particular third party and how those risks are addressed by your institution. Ideally, the description of these risks corresponds with your institution’s enterprise risk management strategy outlining the company’s appetite for risk.
- Ongoing monitoring activities appropriate to control the risks identified in the assessment – these could range from transaction testing, to social media and negative news searches, to call center listening, to mystery shopping. These should be tailored to the type of activities the third party is providing. If there are items (e.g., reporting, audit records) you need the third party to provide, be sure they are spelled out in the contract.
- A system and process for managing contracts to ensure they are well tracked (failing to recognize expiration dates and termination notifications periods is a common pitfall) and contain all of the required provisions to protect all parties involved in the business relationship.
- Evidence of regular reporting to senior management and your board of directors, in the form of the actual presentation and evidenced in minutes. Ideally, this reporting will touch on each of the activities listed above.
Hopefully, you’ve got all of these items in order – but if not, now’s the time to prepare. If you wait til the countdown is on to the opening of the exam, you’re going to be doing too little, too late. We’ve got lots of helpful content on our website and in our weekly information series and we’re always here to help.
Again, I’m Branan and thank you for watching! Don’t forget to subscribe to the Third Party Thursday series.