14 Key Components of an Effective Vendor Risk Management Program

I’m often asked to discuss what comprises an effective vendor management program. While there are numerous things to consider, below I've listed 14 of the most important elements.

14 Key Components of an Effective Vendor Risk Management Program

1. Ensure the entire vendor management system is described in detail in a set of policy and program documents.
2. Develop a rigor around the processes to drive consistency and an easy to follow set of procedures. This way management is more likely to embrace the procedures and not work around the process.
3. Establish a clear line of communication to senior management and the board; the regulatory guidance mandates this. Review OCC Bulletin 2013-29 for more information.
4. Obtain adequate staffing and budget to support the size and complexity of your vendor management processes.
5. Utilize subject matter experts from around your organization or even outside your organization when needed – an expert independent review can provide an additional perspective.
6. Provide regular reporting to your management team, particularly as risk issues arise.
7. Hold managers accountable for their actions in communicating vendor management requests to your third parties.
8. Ensure, and test, adequate coverage of each pillar of vendor risk management. Everything in the vendor management lifecycle should get equal and periodic attention. This begins with planning and continues until contract termination.
9. Along with rigor, there will always need to be some level of flexibility for things like emerging technologies, start-up vendors or the exceptions to the process. Document these well so it doesn’t appear inconsistent.
10. As regulations change or situations arise, update your documentation accordingly and always involve subject matter experts from around the organization.
11. Consider the best model vendor management framework for your institution – centralized, decentralized or hybrid – but ensure there is consistency in form and practice. This is particularly important from a due diligence and contract perspective.
12. Don’t overlook the importance of ongoing monitoring or consumer complaints. Ongoing monitoring can protect your organization from unwanted risk while consumer complaint monitoring can really protect the organization’s reputation risk.
13. Periodically test the work product as part of your regular audit schedule. Verify the work product matches your policy and program guidelines.
14. Invite and encourage feedback from your management team and vendors as to what is going well and what can be improved.

Vendor management is both a science and an art. Doing these steps well will help you create a masterpiece of a program.