Welcome to today’s Third Party Thursday! My name is Cindy Horn and I’m the Chief Operations Officer here at Venminder. Today, let’s talk about key components of a well-managed vendor risk management program.
To comply with regulatory guidance, you need to create a program that incorporates all of the fundamental pillars of vendor risk management, including:
- Proper selection of a vendor
- Well-documented and well-orchestrated efforts around assessing vendor risk and vendor risk assessments
- Vendor due diligence
- Following contractual standards
- Effective ongoing third party monitoring
- Having a sound system for contract management and reporting to senior management and the board
To do all of that, there are a number of foundational things you need to do really well to have a strong vendor management program.
- Identify who you will include in the program. What third parties are in and which ones are out. A best practice is to go to Accounts Payable and get a report above a certain threshold amount – you’ll probably have hundreds perhaps even thousands of vendors – then work with lines of business to scale it down.
- Once you’re absolutely certain you have your list right...compare to the policy or program documents and make sure you have described the scope accurately and vice versa. Be sure to think about non-traditional vendors, particularly those that might have after-hours access to your buildings. They could have access to confidential data – there’s been a huge focus on security breaches and data protection in recent months.
Remember, for example, the Target breach was effectively started by an HVAC contractor, so it’s certainly well worth considering your cleaning crew and landlord as third parties, since they have that after-hours access I was referring to. I’m certainly not implying that you need to go into every relationship thinking of them as the bad guy, but you should do your homework ahead of time.
- Make sure you have a fully documented vendor management program, a third partypolicy document and a vendor management procedures document as well – if you don’t know where to start on that, please visit our website and look at our umbrella series. It is a lengthy exercise, but an incredibly important one as you want to be certain that you have a comprehensive program and have it broad enough to cover potential new products or new types of third parties.
For example, mobile banking and cloud storage – we know the regulations, which take years to develop, can’t possibly keep pace with new and emerging technologies, but your program should be comprehensive enough to contemplate these types of companies as well.
Again, I’m Cindy and thank you for tuning in! Don’t forget to subscribe to the Third Party Thursday series.