Preparing for Periodic Vendor Updates to the Board

Podcast Transcript

Welcome to this week’s Third Party Thursday! My name is Kelly Vick and I’m the President here at Venminder.

As you wrap up 2018, it’s a good idea to think about your process for reporting to the board. Whether it’s your regularly scheduled, perhaps quarterly meeting, or whether it’s your summation of all activities for an annual board report, third-party risk management needs to be a part of the board’s regular activities. 

It’s an ideal time to present processes that worked over the last year or maybe didn’t work and as a result need improvement and particularly changes related to risk with your most critical vendors. In addition, discussions around 2019 vendor risk management needs, wants, expectations and projections will likely occur. In today’s podcast we’re going to touch on our recommendations to best prepare for periodic vendor updates to the board.

We recommend the following: 

1. First, prepare proper reporting for the board’s review. Be sure the reporting is as comprehensive as needed but still easy-to-follow. The reporting package should also include pages that address things like:

1. Overall status of assessing risk
2. Upcoming or overdue due diligence
3. Ongoing monitoring activities
4. And upcoming updates or new guidance – a sure way to keep them informed and help validate any additional requests that you’re bringing to their attention

Generally speaking, you may want to devote an individual page to each pillar of third-party risk management, if you’re doing it in PowerPoint, and then accompany it with a more detailed narrative.

2. Have a list of any vendors you are currently vetting. With the new year approaching, it’s likely that your organization is considering and thoroughly vetting new products or services to assist with operations, or simply a new vendor to replace an existing vendor, and you’ll want to keep the board updated as these reviews progress. In particular, per OCC Bulletin 2013-29, you need to present any new critical vendors and receive their approval prior to contract execution.  Similarly, if there are vendors scheduled for notification and termination, be sure to include those as well.

3. Be prepared to share significant 2018 issues. Have a vendor who is consistently underperforming? Or, maybe a repeat audit finding in the vendor management program? Any issue that poses significant risk to your organization needs to be escalated to the board. Be prepared to address any staffing or technology related needs as well.

4. Be prepared to review and discuss your policy, program and procedures documentation. Do changes need to be made after reviewing what did or didn’t work in 2018? If so, as you head into the new year, it’s a good time to implement the changes. You’ll want to receive the board’s input as they will need to approve any risk-based policies governing the vendor risk management process.

5. Report of the overall status of the third-party risk management program and detail any concerns identified with vendors who have grown significantly riskier. The importance of documentation and appropriate board involvement becomes a key expectation – not only by examiners but also by the leadership of the organization.

Remember, the board’s goal is to ensure the processes in place effectively manage risk in a way that meets the organization’s strategic goals, organizational objectives and risk appetite, while protecting the organization, employees, shareholders and consumers. Working as a team and keeping the lines of communication open will benefit all parties.

Again, I’m Kelly Vick and thanks for tuning in. I hope you found my tips helpful. If you haven’t already done so, please subscribe to our Third Party Thursday series.