5 Steps to Scale Your Third-Party Risk Management Program

Your plate is full. Your third-party risk management team is falling behind and struggling to keep up with the volume of work, more so than ever now, as there’s such a regulatory emphasis on the ongoing monitoring nature or lifecycle approach to vendor risk management.

Vendor Due Diligence and Ongoing Monitoring Tend to Tip Over First

Typically, it's the due diligence or the ongoing monitoring function that reaches maximum capacity first, since those are the ones that are inherently time sensitive, date and volume driven as well as require precision and discipline. Get ahead of this by keeping tabs on your team's workloads to give you a pretty good indication well before it becomes demoralizing or discouraging. A well-timed and professional approach to your senior management can make all the difference.

Scaling Your Vendor Risk Management Program: When Is the Time Right?

There are usually some good early warning signs when it's time to scale your program. Here are three that are red flags:

• Everyone on the team is juggling responsibilities constantly
• People begin to skip meetings – maybe even lunches
• Deadlines are very close or even missed

Something has got to give. There are several initial steps you can take to scale.

5 Next Steps to Scale Your Vendor Risk Management Program

 You’re ready to scale. Here are your five next steps for your vendor risk management program:

1.  Look for ways of creating efficiencies in your program. Can people cross-train to pick up a colleague's work? Can arbitrary deadlines be reset?
   
2. Consider incentives (e.g., offering overtime to the hourly staff).
3. Determine if you need to outsource some activities. You may need to consider outsourcing those activities that require true expertise, such as SOC analysis, business continuity plan reviews or cybersecurity analysis.
4. Understand where the focus is. If you're engaging in a new line of business, verify the correct people are involved and understand it.
5. Grow your team as needed. If you've reached your limit on all of these ideas, it's time to work with senior management and the board to grow the team.

As a tip, when considering adding to your team, whether you do that internally or by outsourcing to third party experts outside the organization, make sure you hire the best qualified candidate. This’ll be hopefully someone with experience in the specified area you need. And, I always recommend starting with LinkedIn and the various risk management forums on that social media platform to recruit qualified candidates.

Third party risk management is a team effort. While most organizations are devoting less than five full-time employees to the function, according to Venminder's Annual State of Third-Party Risk Management survey, the number of employees needed to perform vendor management well will continue to grow as regulatory expectations increase.

Dive deeper into the ways to improve the efficiency in third party risk. Download the infographic.