What Vendor Management Information Should I Be Reporting?

While vendor management reporting to the board and/or senior management is an important best practice that drives action, it’s also a regulatory requirement. Guidance such as OCC Bulletin 2013-29, FDIC FIL-44-2008, Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Sarbanes-Oxley Act (SOX) outline these reporting responsibilities.

After you’ve gathered your vendor information, how should you prepare it for reporting? Let’s review some key components around reporting including frequency and what to include.

Frequency & Format of Your Vendor Reporting

Depending on what you are reporting and your audience, the exact frequency of your reporting may vary. For example, you might prefer a quarterly schedule for your audit or committee board, but you may find that a monthly or bi-monthly schedule better suits your risk or compliance committee. No matter the frequency, it's important to maintain a regularly recurring schedule and track the frequency of the reporting meetings in your minutes.

When developing your reports, create a concise and easy-to-follow presentation, and use the same format each time. It’s a best practice to begin your report with an executive summary distilling the key data points into an easy-to-read narrative. Any significant matters involving critical or high-risk third parties should be highlighted. For organizations that utilize a TPRM dashboard, it should directly follow the executive summary. If necessary, additional charts, reports, or individual dashboards may follow the executive summary and primary dashboard.

Types of Information to Include in Vendor Reporting

To create your report, begin with a cover page or title slide with your company information. Next, you should include pages covering the following information:

• Any vendor risk issues such as significant vendor changes, issues the board should be aware of, concerns with the contract, and other pertinent information
• An overview of any new or changing regulatory requirements that require changes in your governance documents, processes, or procedures
• Industry highlights related to third-party risk management (e.g., big news headlines)
• Third-party risk management program metrics that show the health and stability of the program
• Vendor portfolio data (e.g., the total number of actively managed vendors, percentages of critical vs. non-critical, etc.)
• Summarized due diligence and vendor selection information such as current and ongoing vendor selection processes and where each is in the process
• Information regarding vendor risk assessments, including the number of critical and high-risk assessments or re-assessments in progress or that are at risk or past due
• A reporting timeline that shares the schedule of the reports and meetings you’re currently delivering to your business lines or vendor owners, senior management team, and any committee who should receive regular reporting

Finally, end the report with a closing to wrap up. Be sure to provide your contact information in case anyone has questions.

It’s essential to maintain a consistent vendor risk management reporting routine to ensure your organization's leaders stay informed about emerging risks and activities. Accurate, easily digestible, timely, and accessible reporting will provide the board and senior management with the information needed to verify the health and stability of the vendor risk management program, enable strategic decisions, and take corrective actions when necessary. Keeping your board and senior leadership informed through regular reporting is a necessary practice to meet regulatory requirements and ensure an effective vendor risk management program.