View Large
Risk management is a team sport, and none more so than third party management. Regardless of whether your program translates guidance into an operating model with ten or twenty steps, it’s important that lifecycle management processes are thorough, consistent and easy to communicate to the hundreds or even thousands of users across the institution. Most of the larger institutions have done a good job of implementing a framework. In many cases there is room for enhancements to:
- due diligence processes including risk-rating findings from due diligence
standardizing risk and contract controls, including risk-adjusting these to reflect different tiers of risk - adding a formal risk approval step for the first line of defense – the risk and relationship owner – to the process
- post-contract monitoring activities, including performance management
Another question that practitioners often ask is how to share data across multiple technology platforms. For example, Information Security assessments may be stored in one system, contracts in another, and third party relationship data in another.
Founded in the principle of creating a single “book of record” for third party relationships, most institutions either cross-reference records in discrete systems and/or implement automated data transfer processes. True integration is costly and complicated.
What is most important is easy access to related records and strong data governance principles. Data integrity is the hard part because there are so many users and stakeholders. That is why formal, scheduled Quality Assurance testing is so important.
