![]() Particularly since third-party risk management, and certain vendor relationships, are often controversial in terms of expense, preferred vendors, and missteps that span across multiple business lines. Conversely,ĭepending on the size and complexity of your organization, gaining the support of the senior leadership team may not be easy. Their ability to receive and help resolve issues when escalated, and “wield the hammer” when needed, will ensure the function has teeth. Simply providing direction and passive support isn’t enough – accountability needs to be evident in follow-up actions. Further, minutes from board, audit committee, and risk committee meetings should also be maintained to evidence discussions and actions, in case of a dispute or regulatory inquiry.Įffective oversight also requires buy-in and active support from the senior leadership team. Lastly, complete and accurate documentation of risk management activities should be maintained to support oversight by internal audit and regulators. Further, reporting should include both quantitative data along with more qualitative “color commentary” on where levels of risk are increasing or decreasing and any inconsistency versus the overall enterprise risk appetite for risk.ĥ. This requires three things: leveraging technology to capture and report data, using key indicators to compare against contract standards and trends, and distributing the appropriate reporting segments to each line of defense. Timely reporting is crucial for effective oversight. Resourcing goes hand-in-hand with effectiveness, and independence ensures that business needs or “favorite vendors” don’t drown out proper risk decisions.Ĥ. The vendor management function should be clearly defined within the organization and, as importantly, properly resourced and independent from the lines of business. Roles should be defined in all parts of the risk framework from the day-to-day business owners to the various lines of defense and senior management – if possible, placing these into performance goals also helps ensure attention is paid throughout the year.ģ. This provides the framework for the program and ensures the appropriate tone at the top.Ģ. The starting point is to formally document the third-party risk management policy and obtain board approval (initially and annually thereafter). So, what does effective oversight of the third-party risk management function look like? Since complexity can vary based on an organization’s industry and size, I recommend that – as a baseline – a well-designed function should have the following five components.ġ. Plus, in the past decade, regulators across most industries have made this a consistent theme in their communications about their own expectations for third-party management programs. Doing so drives accountability and ensures that the right ‘tone at the top’ is set by your board and senior management. One of the most important parts of an effective third-party risk management function is creating an effective governance and oversight structure. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |