Regulatory and Management Reporting for Vendor Risk Management
In working with prospects and customers, one of the questions I get asked the most is about reporting – specifically regulatory and management reporting.
For regulators, you just need to show that you are in compliance and have a reliable, repeatable program. What I’ve learned over time is, for regulators, less is more. Treat these discussions as if you are being interrogated in a courtroom and give them only what they are asking for, nothing extra. If they’ve asked for vendor names and residual risk scores, just make a report of that and send it.
Sharing too much information in a report can come back to bite you. Now the regulatory auditors are looking at an extra piece of information and thinking maybe they should look into that more. Suddenly the can of worms is open. It becomes a bigger audit and usually the regulatory auditors, in particular, are very good at finding issues.
With executive management, the idea is the same – don’t throw in a lot of additional information. These are the people who don’t have time to sift through all kinds of excess data. You want to build them a comprehensive report of exactly what they need and possibly even chart it for them so that it’s a really quick bird’s eye view to make them aware of what is happening.
They want to know the company has risk management under control, who is responsible for which part of the process and any problems – internally or with third party vendors. The reports can also help management understand their employees’ workloads, so assessments and reviews can be delegated appropriately. At the end of the day, this is a compliance activity and that typically doesn’t fall into people’s budgets nicely, so it’s about making the most with the available resources. Depending on the size of the organization, there could be a 30-person team or maybe it’s just a couple of people in the procurement department. Here, technology becomes an important resource to be leveraged.
At a minimum, your Vendor Risk Management tool should be able to quickly and easily generate reports that:
- Catalog your third parties and their levels of risk
- Show due diligence plans and who is responsible within the company for them
- Document assessments that are outstanding and those past due
- Show issues opened on a per-vendor basis, the resolution status, as well as the trend (increasing/decreasing ) of issues opened and closed out
- List reviews that are upcoming and resources needed for them
More importantly, your system needs to be flexible enough to provide additional information at a moment’s notice when your regulators or management team ask for it.
To learn more about regulatory and management reporting for vendor risk, read “The 8 Reports You Need for Effective and Efficient Vendor Risk Management.“