.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
video
How to Write a Third-Party Program
What you need to know to write your third-party program.
A program is one of your third-party risk management foundational documents. We'll go through what you need to know about writing one up.
You may also be interested in:
Infographic: The Vendor Management Umbrella
Sample: Policy
Video Transcript
Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder.
As you may recall from last week’s Third Party Thursday video, we talked a bit about some of the foundational documents that provide direction to your third party risk management efforts. Last week, we discussed the policy. This week, we’re going to discuss the program.
Expand On Policy
Using the Policy, as a foundation, the program should expand on all of the concepts in the Policy – I highly recommend starting with an outline that nearly mirrors your relevant guidance in terms of sections – I like to think of it as talking to the regulators in their language.
It should cite relevant regulations and guidance; it should describe its relationship to other parts of your compliance program and establish its importance as a foundational document for your institution.
It should be strong enough to support all of the lines of business, yet with a bit of flexibility to allow for the addition of new third parties or new products. Senior management and the board should be fairly familiar with it and with the concepts generally and certainly approve it annually.
You will probably want to involve subject matter expertise, internal audit, legal counsel and even independent experts to help craft it. Be very sure to define not only what vendors you are including but which ones you may not want to actively manage as well.
Touch On Core Practices
It should touch on each of the practices employed in third party risk management:
- Risk assessment
- Due diligence
- Ongoing monitoring
- Contract negotiation
- Key terms
- Even the type of reporting you’ll be providing to your institution’s leadership team
Format
The actual document is probably 20-30 pages long and often contains supplementary working materials, such as appendices, org charts, related program materials.
Again, just like the policy, if there is significant new guidance or a particular area of concern, you need to make sure to update the document and have it re-approved.
Again, let me stress that your various lines of business must be prepared to support the program – if they are not involving you in bringing on new vendors and following the right process, you’ve always got an exposure point, a real vulnerability.
You should make sure it clearly delineates what relationship it has to other regulations that may be in play, for example, if your due diligence is going to help to cover certain aspects of your requirements in Anti Money Laundering or if your ongoing monitoring is going to help detect issues related perhaps to truth in savings disclosures.
It’s quite a bit of writing and research but will really help your institution and your customers and ensure that they are all protected from a third party standpoint.
Again, I’m Branan and thank you for watching! Don’t forget to subscribe to the Third Party Thursday series.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources, and more to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.