How to Write a Third-Party Policy

Video Transcript

Welcome to today’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder.

Today we are going to talk about writing a vendor risk management policy. Let’s start with a basic premise – there are three unique sets of documents that you’re going to want to create – a policy, a program and a set of procedures. While these are interrelated, there are some key differences, so let’s start with the policy. 

What to Include

The policy is probably the most important foundational document in your vendor risk protocol. It should be written at a level that is easy for your board and senior managers to understand. It should be approved annually by your board and typically will be one of the first things you’re asked to provide in an examination.

The policy should set out in basic but broad terms exactly what your vendor risk management framework is all about. The policy should describe the purpose of third party risk management, its key role in protecting both your institution and your customers.

It should go into high level detail about each of the key functions in the area, such as assessing risk, analyzing due diligence documentation, providing ongoing monitoring, establishing contract standards and reporting to the board and senior management. It should also cite the basic regulatory guidance, for example, OCC Bulletin 29-2013. It’s always a best practice to use as much of the same terminology as used in the guidance so you’re speaking to the regulators in terms they readily recognize. 

Format

Typically, the document is about 5 or 6 pages long and should be pretty familiar to your board and senior management team.

Now that  you know the difference between policy and program and we’ve covered the policy portion today, please tune in next week for the program video. 

Again, I’m Branan and thank you for watching! Don’t forget to subscribe to the Third Party Thursday series.