Learn about the three essential steps of keeping your vendor list and your vendor risk management processes current.
Welcome to this week’s Third Party Thursday! My name is Dana Bowers and I am the CEO/Founder & Board Member here at Venminder. In this video, we’re going to cover the process of keeping your vendor list and your vendor management documents current.
Typically, every institution has a defined way of determining who their vendors are and separating the ones that need to be actively managed from those that are not significant from a risk standpoint.
In a best practice scenario, this likely means following a well-documented program and working closely with both accounts payable and the lines of business to keep your list up to date and accurate. But even if you're not there – you can certainly do much of this through some other steps.
1. First, you should establish, with the assistance of your institution’s compliance or legal function, a requirement that all new potential vendors follow the documented process in your vendor management program.
One of the main reasons you should do this is to be prepared to report any deviations from the process to the appropriate senior management team - they must stay actively involved!
Obviously, not all vendors must go through the full risk assessment and due diligence process, as some will be determined to be one time use or materially insignificant such as the office supply provider or a one time use consultant. These that are readily apparent should not be added to the actively managed vendor list- but it's always a good idea to check and make sure that your program and policy documents clearly spell out who is included or not.
2. Then, at least twice a year, review the entire list through accounts payable and involve senior management in the determination of who may be in and who may be out of scope.
3. Finally, at least annually, present the vendor management policy and program to the board for renewal and, if new regulatory guidance has been issued, update and present for approval.
In advance of a vendor coming up for renewal, follow the same process as a new vendor, except bring in any sort of experience-based information that may result in either a non-renewal or a need to change relevant terms, such as required reporting or contractual provisions. Ideally, this is done at least a full quarter prior to the timeframe required for notification of non-renewal.
To recap: Keeping your documentation up-to-date and accurate can be time consuming but if you're disciplined about it, it's actually a relatively easy way to make huge strides in your third party risk management process.
Again, my name is Dana Bowers and thank you for watching! If you haven’t already, subscribe to the Third Party Thursday series.