Alternatives in Third-Party Risk Management

As you may already know, I’m a cyclist. So, typically, I log a few miles every morning before work, amuse the neighbors by posting pictures of my ride on Facebook and generally enjoy rolling along with little traffic.  

But what happens if my daughter oversleeps and misses her school bus? The day’s routine is now changed because I have to drive her to school. To get the bike ride in for the day, it's time to think of alternatives. So, I move around a few things on my “to do” list and get out for a half hour at lunch. Same goes for third-party risk management.

Third-Party Risk Management Alternatives

In doing due diligence, you need to take much of the same approach – be organized and be disciplined about your routine and your cadence of activities. You need to prove your work. So instead of, say, Facebook pictures, do it through analysis and documentation. There are times you will need to change your plans, particularly if a third party won’t provide something. 

Examples of This 

Issue: They won’t let you review results of a recent audit.
Alternative: If you’re a bank or credit union, you may be able to get it through your regulator’s office. 

Issue: They won’t release the results of their business continuity test.
Alternative: Set up a discussion and interview the appropriate managers involved. 

Issue: They won't share their financials. 
Alternative: Discuss with your CFO and potentially host a conversation with their financial team. Perhaps even consider accepting an accountant's statement. 

Issue: They won't discuss their policies and procedures over the phone.
Alternative: Consider a site visit and tour. You may learn things well beyond just policies and procedures. 

Getting creative and being open to alternatives can help address concerns, prevent gaps and allow for robust documentation. Now let’s hit the road! 

Learn more about vendor document collection. Download our free infographic.