Posted on: July 1, 2021
Third-party risk management is a tricky business. When you think of the fundamental pillars of third-party risk, most of the focus goes to risk assessments, due diligence, and contract management. What that leaves out of the equation is ongoing monitoring.
Ongoing monitoring is often the forgotten, overlooked pillar of third-party risk – but that can come at a pretty steep price. It’s understandable how it happens: you’ve exhausted yourself getting through the risk assessment, reviewing due diligence documents, and hammering out contract terms. The contract gets signed, everyone sighs relief, and then it is down to business as usual. But, if you haven’t assigned individual accountability to make sure that there is follow up on the agreed upon monitoring standards, things will fall through the cracks now that the honeymoon phase is over. Service level agreements get ignored or required reporting isn’t delivered – and no one notices until there’s a real problem.
The Consumer Financial Protection Bureau freely mines its own consumer complaints database looking for opportunities to investigate items of concern – and those can lead to big enforcement actions. Setting up a complaints management system as part of ongoing monitoring is absolutely essential, for setting standards around consumer response, ownership, and root cause analysis is the cure for that woe.
Going to the Better Business Bureau website and even just the usual Google or news monitoring sources can also help. Is the problem an isolated incident (take it offline!) or the tip of a much larger problem? The two are vastly different issues. Failing to react to either can cause an avalanche of cascading problems, so it’s always best to have a rigorous plan that addresses both.
Looking at service records and reports is equally essential. It’s not easy, particularly if your organization is monitoring hundreds or thousands of vendors at a time, so that’s why assigning business unit managers and ensuring they understand that it’s part of their job to be on top of things is critical – and if they see something, they need to say something.
Prior organizations have shown the hazards of not paying full attention and are then caught off-guard when the Better Business Bureau, the state’s attorney general, or the CFPB react before they do. Establishing and ENFORCING ongoing monitoring requirements is essential. The requirements need to be spelled out in clear unambiguous terms and rigidly adhered to. Companies will so often hammer into place expectations but then fail to enforce them – and that’s a huge red flag for an examiner.
When you think of ongoing monitoring, tailor it to the specific type of vendor and business practice – because one size absolutely does not fit all. Your core processor versus your call center will have far different issues to monitor (one is uptime and reliability while the other is complaint driven), but you need to have a process for both that’s well-illustrated and a part of your risk assessment software.
Making ongoing monitoring just as an important pillar as the others is absolutely essential for a well-functioning third-party risk program. Documenting it all well will help ensure success.