About this slide presentation Customize this Power Point

About this slide presentation • Customize this Power. Point as you see fit • Use these slides to help train your team about key aspects of third-party risk • Keep this file saved where the team can easily access it

The Third-Party Risk Management Lifecycle

Supporting Elements Guiding the Lifecycle Documentation & reporting, oversight & accountability and independent review are peripheral to, but an integral part of the thirdparty risk management lifecycle. • Who will perform oversight on your third parties? • Policies, programs, procedures, control evidence and reports • Reporting is essential • Bring in internal audit teams to keep your organization honest

Scoping Determine the scope of relationships that should and should not be a part of this lifecycle. • Define what a vendor/third party/provider is to you • Scoping is essential in getting the best of your third-party risk management resources

Stage 1 Inherent Risk and Criticality Assessment A strong risk assessment process is vital to a comprehensive third-party risk management program. • In order to understand the risk a vendor poses to your organization, you must understand the relationship • Evaluate all considerations of outsourcing • Understand the most amount of risk the engagement could pose, and how critical they are (or will be) to your organization

Stage 2 Due Diligence and Residual Risk Determination Due diligence is one of the most important activities in third-party risk management. • Support RFPs • Conducted for new engagements and periodically for existing engagements • Collect, review and assess applicable vendor information and controls • Determine the remaining risk

Stage 3 Vendor Selection and Contract Management Choose the best vendor and go through the process for administering sound written agreements with third parties. • Negotiation • Change Management • Ongoing Maintenance Source: Venminder

Stage 4 Ongoing Monitoring Keep abreast of a vendor’s performance and well-being throughout the engagement and continued periodic assessments. • Verify vendors still meet expectations • Identify areas of concern • Discover contract gaps, poor vendor trends and declining service levels

Termination If the vendor relationship has come to an end: • Ensure exit strategy requirements are met • Notify the vendor of contract non-renewal

Key Themes to Consider at Every Single Step Board involvement Checkbox mentality is unacceptable Risk assessment needs to be kept up-to-date Documentation

Best Practices and Mistakes to Avoid Stick to the basics – don’t be influenced by regulatory uncertainty Study new regulations Be responsive to new regulations Wait till the examiners find fault Nothings broken / don’t fix it Invest in education and industry resources Collect documents without analysis Continue to grow the maturity of your third-party risk management Inadequate or no budget approval Keep policy and program updated Prisoners of non-compliant vendors Use enforcement actions as a lens through which to view your business Unidentified risk