Common Third-Party Risk Management Findings in Exams and Next Steps

Podcast Transcript

Hi, this is Christine with Venminder.

In this podcast, you’ll learn some common findings on third-party risk management regulatory exams and how your organization should respond.

At Venminder, we have a team of experts that can help your organization prepare for regulatory exams and address any findings for improvement.

If your organization operates in a regulated industry, you should anticipate regular examinations that assess the safety, reliability, and effectiveness of your third-party risk management program. Results are always communicated to management and your board, so it's understandable that exams can be anxiety-inducing, particularly if the examiner identifies areas for improvement or urgent action. 

To begin, it’s good to review your regulator’s website to become familiar with their exam process, classifications of issues, required actions, and potential penalties if your organization fails to correct the issues. 

So, what kinds of issues might examiners identify? 

1. The first kind of issue often appears when the third-party risk management processes are insufficient or unsuccessful. For example, an organization’s third-party risk management program might only cover onboarding processes and not include ongoing monitoring. Another example is an organization that fails to properly verify its vendors' control environments because of a lack of qualified subject matter experts.
2. A second kind of issue is a lack of consistency. For instance, if the criteria for identifying critical vendors aren't clearly defined or consistently applied, it might result in a lack of proper management and monitoring. Similarly, inconsistent documentation standards can lead to challenges in providing evidence of third-party risk management processes. 
3. A third issue regulatory exams frequently uncover is deficiencies in oversight and governance. Common issues include the lack of a third-party risk management policy, insufficient board involvement, ineffective management, irregular reporting, and insufficient monitoring controls. Additionally, problems arise from unclear roles and responsibilities, and weak accountability.

After the exam, the examiner will provide a detailed report that highlights issues and necessary actions or offers suggestions for improvement. Your organization needs to formally respond to this report. Most organizations have specific processes for this in place, so make sure you know what they are and follow them. 

The third-party risk management team plays a crucial role in providing action plans for the response, so it's important to follow these next steps:

• First, read the report thoroughly. Take time to review each comment carefully. Examiners are trained to provide clear details, including a description of issues and their expectations for corrections. If there are questions, consult with your compliance team and management.
• Second, consult with management and stakeholders to ensure that issues are understood, and to identify potential corrective actions and time frames. In the case of multiple findings, it’s essential to develop a plan to address each recommendation and action item individually.
• Then, identify any potential barriers to success. For example, if the corrective action is to implement third-party risk management software to ensure more effective processes and reporting, it’s important to identify the need for additional budget or resources that are required to implement the software.
• Fourth, outline realistic timing for issue correction. It’s vital to set timelines that demonstrate a sense of urgency but are still feasible. If you commit to a timeline and don’t achieve it, there may be serious consequences. Keep in mind that in some cases the regulator will set firm time limits for correction and your organization will have to do whatever it takes to meet the deadline.
• Fifth, assign each action item to a specific owner, who will be responsible for managing the required corrections.
• And then finally, document your plans. This should include responsible individuals, timelines, any necessary milestones, approved or denied decisions, and required approvers.

Once your plans are finalized and documented, they’ll be part of your organization’s formal response to the regulator. After the plan is approved, you'll need to execute those corrective actions. Remember to document everything you do along the way because your examiner will need evidence of the corrections to review.

As a best practice, make sure to open an issue for each corrective action and keep tabs on them. The board needs full visibility, so regular reporting is key to keeping things transparent and holding everyone accountable. It’s important to quickly escalate any issues that are at risk of being late - don't wait until they're past due. Most importantly, be ready to provide regular updates to the regulator and expect one or more formal meetings or follow-ups before the issues can be closed.

On a final note, it’s important to remember that all exams will have findings, even if they’re just suggestions for improving an already effective third-party risk management program. Understanding the exam process and being confident in your ability to effectively correct findings are essential skills to have.

I hope you found this podcast insightful. Thanks for tuning in and we’ll catch you next time.