6 Things to Do Now to Your Third-Party Risk Management Program for 2019

It’s November! Where did 2018 go and why haven’t I dove back into my vendor management program? This is certainly a common conversation we have with clients here at Venminder. By taking these 6 simple steps below, we can help get you on your way and even prepared for the new year.

1. Assess Current Providers: Round out 2018 with an executive summary report of vendor assessment analysis for your board of directors. Formalize a report which closes out the prior year and sets objectives for the new year. Items to consider include any pending contractual renewal terms, overall SLA performance, revisiting the first line of defense — those dealing with the vendors daily—and asking for feedback. Upon review, consider how the service levels are during the busy holiday season and if there are any red flags.
2. Review Annual Due Diligence: Remember all those annual due diligence reviews you conducted in 2018? Now is a good time to revisit them with a fresh set of eyes. Were there any follow up items which you asked your third party service provider to address? The danger and temptation here is that you discount the providers and then don’t follow up again until the next assessment date comes due. Word of caution here is DON’T! Address these items now as chances are any finding which warranted a discussion is now a recorded fact. If you have noted in your assessment that XYZ was discovered and you have yet to document the remediation, you are likely giving your state or federal regulator ammunition – which will not bode well during an examination. 
3. Review Last Assessment Dates: If you are inheriting a legacy vendor management program, determine the assessment schedule. Perhaps a high-risk vendor is only assessed every 18 months instead of every 12 months compared to a critical vendor. In this case, perform a review and figure out who is due to run through the annual assessment process. Keep in mind, for those vendors who performed less than desired, now might be the right time to increase the oversight schedule on them to ensure that you mitigate any potential risk to your organization.
4. Revisit Your Vendor Management Policy and Program Documents: This really is a best practice. A lot can change during a year. If your primary regulator has updated any regulation or guidance, then now is a great time to do some early spring cleaning and make sure that your document aligns with current standards.
5. Conduct an Internal Audit: If you want your vendor management department to be kept honest, then nothing quite compares to being tested by an internal audit department. The experience isn’t always fun since nobody wants to be the department known for being in disarray or not following their own policy guidelines. This exercise should really be embraced since the experience of a primary regulatory audit can be a daunting time in your career. Your entire organization is under scrutiny, and fall out for a poor regulatory assessment does not always bode well. Internal audits are there to keep you honest and get you back on track.
6. Schedule, Schedule, Schedule: We saved this one for last as a critical point. Schedule the annual assessment in a timely fashion as travel, syncing of calendars and even the time it takes to digest all the vendor data takes time. Start early, finish early and allow for holiday and weather seasons not to disrupt your workload.

Year Long Effort for Third-Party Risk

Managing third party risk is a year-long exercise performed as part of the overall cradle to grave relationship with your vendor partnerships. Being organized, setting expectations and working with your lines of business to manage the main areas of risk will help you demonstrate an effective, efficient and vendor focused risk management program. 

Insight into how financial services and financial technology companies manage third party risk management Download the whitepaper to get started.