Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder.
Vendor management is a complex job. There's plenty of prescriptive guidance out there, but what do the best vendor managers do to ensure the job is done well?
Let's go through 10 best practices:
- Write a complete set of policies, programs and procedures - and get outside help to review it. With this, make sure it is thorough. Scatter references to specific guidance through every document and incorporate feedback from your auditors.
- Carefully define your scope - you can’t possibly cover every single provider. Define both who is in scope and, equally important, who is not. And, document why the scope is focused on certain third parties but not others.
- Don't forget to stay abreast of changing regulations and commit them to policy - set up to receive alerts from regulatory body when new guidance is issued. Then when the guidance comes out, study it - do the research to see what others are saying about it until you thoroughly understand it.
- Subscribe to law firm and CPA firm newsletters that specialize in compliance issues - they're an excellent source of analysis and commentary. And, read articles from other industry experts via blogs or other sources.
- There is an old adage - If it isn’t written down, it didn’t happen. Be prompt and be thorough in your documentation. Never assume your senior management team or auditors know what you’re thinking. Be responsive to good ideas and to constructive criticism.
- Keep senior management and your board informed and engaged - set up a standard set of reports, but supplement with newsworthy material when needed. Brief them on what they need to know and what is changing. Ownership of risk flows uphill and surprises are not received well.
- Determine customized ways of doing ongoing monitoring - tailor the method to match the type of service provided and always think of it from the customer experience point of view - where are the potential pain points or areas of confusion? Service level reporting, transaction testing and mystery shopping are easy ways to employ sound oversight practices.
- Learn from each examination - internal, external and regulatory. Recommendations and criticisms should be thoroughly discussed and put into actionable forms. Where needed, update your materials and make absolutely certain what is described is put into actual practice.
- It's always a good idea, even though there may be some expense involved, to attend conferences and webinars to learn best demonstrated practices and new ideas - small investments go a long way. Find peers that are willing to share their ideas, challenges and solutions. After all, education is the key to maturing your vendor management program.
- Take pride in your work - don’t just ‘check a box’. Doing vendor management the right way is not easy but done well, it is a real competitive advantage.
A robust program protects your financial institution from unnecessary (and potentially embarrassing) risk. Opportunities to compare and contrast providers usually leads to positive and forward change.
So there you go, you now know 10 best practices to make you a really good vendor manager. Again, they are: have a complete set of policies, programs and procedures; carefully define scope; ask for input; stay on top of regulation changes; write everything down; keep senior management and board updated; customize ongoing monitoring; learn from exams; educate yourself and don't just check the box.
I'm Branan Cooper and thank you for watching! If you haven’t already, subscribe to the Third Party Thursday series.