The best strategy for preparing for an examination is vigilance. Vigilance in the third-party risk world means you’re always prepared and ready to answer any auditor's or examiner’s document request well ahead of time. By keeping everything up to date, you avoid the crush to meet your examiner’s deadlines.
Often, particularly at smaller organizations, keeping everything refreshed can be very difficult (and sometimes downright impossible) since third-party risk activities are often combined with the many other duties of the compliance officer. Let’s get very practical about what to expect, what to do and when.
Pre-Exam Preparations to Consider
First off, make no mistake, examinations involve a great deal of prep work. You should schedule meetings with the various lines of business, your compliance team, your internal audit team and senior management. Senior management may even want you to prep your board on what to expect.
Take the time to assemble a thorough set of documentation so you’re able to quickly and easily find any items your examiners request. This requires a highly organized approach and one that is best put together well in advance. The bad news is that every exam today has a vendor risk management component. The good news is that your prep work will pay off big time when you’re on top of your program and have all your documentation in one place – especially if you have it in a vendor management platform.
Pro-tip: While we're all eager to impress examiners or hope to get things over with quickly, don't share items until asked. Once requested, supply the document quickly and take the time to review each item thoroughly. Even getting a second set of eyes to look at it before you send it to them can help. Then, take your time reviewing the documents with your examiner. (Remember, examiners cannot read your mind!)
Exam Materials You Need for “Game Day”
Anticipate what you know examiners are going to ask you for by reviewing the last examiner’s document request, follow-up request and final report. Based on your organization’s prior exams, you should be able to determine the most important highlights the examiners will want to touch upon. Keep in mind, it’s never too early to get these items prepared.
Your preparation should include:
1. Anything noted in the examiner’s document request list. Start with the examiner's document request list and look for any items, specifically or otherwise, that could involve third-party risk management.
2. A copy of your vendor management policy, program, and any other associated governance documents. Be absolutely certain your third-party risk management governance documents are current and board approved within the last year.
3. A flowchart. This should show the processes and procedures your organization uses for vendor vetting, vendor onboarding, ongoing monitoring and your risk assessment process.
4. A complete inventory of your third parties. This list should be accurate, recent nd separated by level of risk. It’s a good time to go back and make sure the scope statement in your program document matches whom you have on your vendor list.
5. Samples of your critical/high-risk third parties. Assemble samples of work product, particularly on your highest risk vendors, including proof of risk analysis, risk assessments and ongoing monitoring. Start with your core systems vendors. This is a critical component of third-party risk management which is often overlooked and should never be!
6. Evidence of adequate review and timely tracking of important documents. Record the processes and procedures your organization uses to track the workflow in your vendor risk management program.
7. Evidence of reports. Ensure you have handy copies of reporting supplied to both senior management and the board, as well as the minutes of meetings where these are presented reflecting the reporting and discussion.
8. Educational materials. Include any education or training your team has undergone and any training you’ve developed for your lines of business, senior management and the board.
9. Regulatory guidance. Review your regulatory guidance – not just your prudential regulator's but also the FFIEC IT Examination Handbook – it's the play-by-play of what the examiner may reasonably ask or expect to see.
10. A point person. Decide beforehand who the point person for the overall exam will be and decide on who will represent each section of the exam. It’s the point person’s responsibility to set up meetings with your personnel when the examiner gives you an ad hoc request.
Yes, exams can be stressful. However, preparation is the key to success. Don’t be afraid to meet with the examiners to clarify any questions or even educate them, if needed, on ways in which your practices may have changed or may be different from what they are accustomed to reviewing.
It’s always better to clarify items ahead of time rather than scrambling when the draft report is issued. In other words, don't just dump all of the documentation to the examiner!
Now that you know how to prep for a vendor management exam, make sure you know what steps to take afterwards too. Download the infographic.