When discussing vendor management, the term “assessments” is one that is almost solely used in conversations around assessing controls and risks with your vendors. This includes initial and periodic inherent risk assessments, as well as the related vendor due diligence assessments.
But remember. Assessments don’t apply only to your vendors. They also apply to you, and your need to self-assess your own policies, procedures and internal controls and how well they are performing. For example, a common gap in many vendor management programs is not keeping policies and procedures updated with changes in regulatory requirements. Having stale, outdated policies and procedures exposes you to unmanaged risks and the potential for non-compliance findings by your auditors or regulators.
So, it’s important to not only regularly assess your third-party vendors, but regularly assess your vendor management function too. Let’s look at four common assessments you should be conducting on a routine basis.
Control Assessments – Are the controls you’ve put in place effective and performing as designed? You may be surprised to learn that certain portions of your existing program, while well crafted, do not match your actual business practices – “we think we’re doing X; we’re actually doing Z”. Reviewing your vendor management function from a control standpoint ensures established policies and procedures are being followed correctly and consistently – across the entire organization. Testing your controls to identify gaps (before your auditors do) will allow you time to consider (and test!) remediation strategies, update your procedures and even anticipate what your auditors/examiners may find. An ounce of prevention will save you a lot of headaches down the road.
Efficiency Assessments – Are you working hard and working smart? Are you spending unnecessary time and resources on activities yielding little results? Looking for opportunities to bring needed changes to processes can save immense amounts of time and frustration, and lead to much better results. Performing a regular review of your questionnaires, procedures and systems can yield real improvements in ROI, as you get to compare best practices, best quality and quantity, best service provider relationships and also avoid autorenewals of contracts you wanted to get out of.
Maturity Assessments – How defined is your program and its practices? Have new risks emerged that you need to manage? Vendor relationships and risks change constantly, so you can’t ‘set and forget’ your vendor management program. Maturity assessments allow you to baseline your program against current, best-in-class models and create a prioritized roadmap to strengthen and continually mature your program.
Regulatory Assessments – Does your program comply with all of the latest regulations? One of the biggest challenges is simply making sure that your practices are solidly based in the regulatory guidance. Regulations change or, even if they stay the same, regulators annually place an emphasis on certain areas (e.g., cybersecurity and 4th parties are big focus points right now). Performing a regular review of your program against the latest regulations and areas of focus is necessary to ensure your policies and procedures stay compliant.
Investing the appropriate time, talent and resources into regular assessments of your vendor management program is the most cost-effective way to identify and eliminate small problems before they become big ones. Assessments allow you to confirm which practices are working well, and which ones need improvement. Think of it as you would your annual physical examination by your doctor. An ounce of prevention truly is worth a pound of cure. Equally important, your regulators expect to see routine assessments and the related documentation of action steps taken.