10 Steps to Creating Your Vendor List for your Third-Party Risk Program
Learn how to create your vendor list in this short video.
We're going to talk through the 10 main steps you need to take in creating your vendor list for your third-party risk management program.
You may also be interested in:
Welcome to this week’s Third Party Thursday! My name is Kelly Vick and I am the President here at Venminder.
Today we’re going to talk through the 10 main steps you need to take in creating your vendor list for your third party risk management program. So let’s get started.
- The first thing you need to do is establish a threshold for vendors to be reviewed. This can easily be done by setting a targeted spend amount. Something like all payments made to a service provider over $50,000 on a quarterly basis, or a monthly basis. Just some amount and timing that is appropriate for your organization.
- Second, ask your Accounts Payable department for a report detailing all expenditures over your chosen threshold amount. Be sure they include the name of the service provider, the frequency and the amount of spend in that report.
- Third, after you have received this list from Accounts Payable, you will need to review it, of course. This is also a good time to involve the lines of business in this review to be certain you haven’t missed any vendors and to remind them they need to bring new service providers to your attention – it’s easy for the business managers to forget that!
- On to number Four . . . Now you will need to determine which items should be removed. Certain expenses that are not forward-looking, recurring expenses might need to be excluded. For example – maybe there is a discontinued service provider or an expense that is so incidental the vendor does not need to be included. There could be any number of valid reasons for excluding vendors in this process. The most important thing is to thoroughly evaluate the entire list.
- Five and somewhat an extension of four . . .See if the list includes certain exclusions mandated by your board or audit committee. An example could be a consultant that was hired to do a board level recommendation.
- Six . . . Now it’s time for your senior management team to conduct a detailed review of the list to determine which service providers will continue to be used. As importantly, they need to identify any vendors that may be on the horizon and, therefore, not on the list today, And, any on the list today that they may be planning to terminate.
- Seven . . . By now, you’ve likely pared down the original Accounts Payable list by about two thirds or more. What you have left is a list of vendors who need to be actively managed from a risk standpoint.
- Eight . . . Congratulations, your list is now finalized. You should present it to your senior management or risk committee for approval and then ensure these service providers/vendors are included in the ongoing work by your third party risk management team.
But wait . . .you aren’t done yet!
- Nine. . . Compare your list to the scope in your third party risk management policy statement to make sure that both your list and the scope are still accurate. You may need to adjust the scope and, if so, you will want to get it approved by the board.
- And Finally . . .we reach Number 10. We recommend that you repeat this entire process at least twice a year.
And that was the 10 main steps you need to take to create your vendor list for your third party risk management program.
Again, I’m Kelly and I thank you for watching! If you haven’t already, we welcome you to subscribe to our Third Party Thursday series.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.