Effective Vendor Management Policy & Program Q&A

During our recent three day Third Party Risk Management Bootcamp, we had a lot of GREAT questions come in. It was quite impossible to get to them all during the live sessions, so we have worked with our speakers to compile the answers. Below you will find answers to questions posed during Day 3 - Session 1: Writing Effective Third Party Risk Management Policy and Program Documents. 

Day 3 - Session 1 
Writing Effective Third Party Risk Management Policy and Program Documents

Branan Cooper Chief Risk Officer Venminder

This session was led by Branan Cooper at Venminder where he went through the key items you need to know in creating policy and program documents. He has kindly provided answers to the following questions.

Q1: Is the third party risk policy required to be board approved?

Answer: “Yes, it is.”

Q2: Approximately how many pages should a Program doc be?

Answer: “Varies by institution and complexity but as a general average, probably 25-30.”

Q3: As part of ongoing monitoring, should we be expected to review relevant Policy & Procedures of the vendor, similar to the initial due diligence?

Answer: “Yes, particularly if they’re a critical vendor or one relying heavily on the use of subservice providers.”

Q4: In your experience, is it right for the Program, which is written by the Legal or Compliance teams, to make it mandatory that "business units create their procedures" for vendor management? Vendor Management is a multi-department approach in our case.

Answer: “No – I strongly prefer there is a centralized approach, as discussed in the session.”

Q5: Is the procedures guide referenced in the policy doc?

Answer: “Yes, absolutely.”

Q6: What are reasonable/generally accepted reasons for excluding vendors like utility companies?  Stating in the Program that they're excluded because they’re uncooperative with the due diligence process would probably not be viewed favorable by an examiner?

Answer: “I understand your concern but pose the obvious question – if you can’t get the information required for due diligence, or do adequate monitoring and won’t get them to budge on contract provisions you’d like, are you really doing your third party procedures anyhow? I’ve seen both models, but it then sticks out like a sore thumb when you’re constantly having to get an exception for them and also explain to the auditors why you “failed” to get it… I recommend crafting strong wording in the exclusion – I’ve had questions but never had it become an issue.  They absolutely should still be addressed by having appropriate business continuity planning, perhaps even an immediate failover provider.”