Fusion Risk Management Has Been Named a Leader in the Forrester Wave™: Business Continuity Management Software Report
Policy Management 101
Posted on: August 17, 2021 Author:
Ask yourself one question: when is the last time I updated my third-party risk management policy and presented it to the board for approval? Fortunately, industry surveys consistently show that about 2/3 of institutions make it an annual practice.
However, for the 1/3 that don’t, here are some helpful tips and notes:
The scrutiny of third-party risk practices has never been greater.
The scrutiny is going to get even more stringent in a post-COVID world since so many institutions had to rely on aggressive outsourcing.
Your third-party risk policy is every bit as important as any other policy.
The policy should be relatively brief but appropriately detailed.
The policy should reflect the expectations of the board and be instructive to senior management.
The policy should be actively reviewed by the board and reflected in meeting minutes – not just in a rubber-stamp exercise.
Regulatory guidance should be cited, up-to-date, and relevant to the practices and expectations of your prudential regulator.
Practices outlined in the policy should be regularly audited (trust me, if your business practices are tweaked and pretty soon policy doesn’t meet work product and vice versa, you’ve got an audit finding – or worse).
The policy should be consistent in the level of detail, wording, and description as your other policies.
The policy must be accurate – so many times, vague wording or confusing expectations cause real problems.
One of the easiest things to do is to build out a construct of different documents: a policy (board level instruction), a program (senior management and business unit level), and procedures (a.k.a. desktop procedures). The policy is ideally only a few pages long, the program is a couple of dozen pages, and the procedures could be hundreds of pages. The real devil is in the details of keeping all of these “synced up” to ensure the work product matches the design. Putting them all together in practice, keeping them updated, and then having internal risk assessment software test them will buy you a great deal of assurance that you have a solid set of documents and, more importantly, a robust set of practices.
Having a well-constructed set of guidelines will save you every time. When a pattern doesn’t meet practice or you’ve allowed your policy to become outdated and cite the wrong outdated guidance, you’ve created a loose thread that is easy to pull. These notes and easy tips will help you recover from that and allow you to have a set of documents that protect your institution and consumers.
Cookie Authorization Preferences
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!