Presenting results to senior management and boards is the path to showing the value of your third-party risk management program —and most of the time a must for regulatory requirements. So where to start and what to report on exactly? Today we bring you third-party risk management reporting tips & best practices.
Figuring out where to start
What data should you track on third-parties? What metrics are most meaningful? How to present this data?
The first step will be understanding what’s expected from the program in order to identify the most useful indicators around that. Start with the end in mind and work your way backwards to identify the appropriate data source. This will take careful planning and a good understanding of the business goals.
Metrics alone just quantify or summarize information, but it’s only when they’re paired with measurable business goals that indicators start making sense. For example, the business owners may be interested in things like the time it takes to conduct risk assessments, or the amount of vendors with a high risk score; whereas senior executives will probably be more interested in the potential risk exposure of the organization (e.g. level of inherent and residual risk, units that need more attention, etc.).
There are different types of risk that your organization could be exposed to simply by working with third-parties – which is a standard practice in today’s global connected business world. Therefore, third-party risk management is about getting the most value from your vendors while reducing the risk they expose your organization to.
7 reports to improve your TPRM strategy
#1 Total inventory of third-party vendors
Map all your third-party relationships, including vendors, suppliers and providers. For example, a law firm, an outsourced software development company, a finance consultant, a manufacturer, etc.
#2 Vendors with access to critical data
It’s important to understand what type of information your vendor will have access to, and what they will do with it.
#3 Third-parties with incidents that impact performance
As they become an integral part of your business operations, it’s important to know if and when incidents such as a system outage or data breach involving them have occurred.
#4 Overall status of third-party risk assessment
For example, critical vs. non critical vendors, or high vs. medium vs. low risk vendors.
#5 Overall due diligence status
How many documents are pending? This could also include upcoming reviews that need to be performed, overdue or missing assessments, etc.
#6 Contract monitoring
This includes upcoming renewals or terminations that should be addressed. This report could go beyond dates to tie a specific value to each contract, as contracts with larger amounts may require more resources to manage and negotiate.
#7 Ongoing monitoring activities
This includes changes in privacy policies, exposure to data breaches or credential theft, geopolitical risk situation, etc. Major changes with high-risk and critical vendors require that you keep the board as informed as possible.
Third-party risk management reporting best practices
Now that you know what to report on, let’s go though some tips and tricks to add value to your reports.
- Frequency: Reports should be provided on a regular, recurring basis – usually monthly to your risk or compliance committee and quarterly to your audit committee or board.
- Format: Use widely-known formats, such as spreadsheets or slides. Remember that graphics like pie charts or line/bar graphs are a quick way to show status at a glance.
- Layout: Overview of the TPRM fundamental activities, and a subsequent highlight of any significant matters involving critical third-parties. This section should include the reports listed above and any other you deem appropriate.
- Nice to have: a calendar showing important upcoming updates and activities, to prove you’re on top of all things TPRM.
This third-party risk management reporting activities will keep your senior staff well-informed about the overall health of your vendor ecosystem. Executives love to know these types of insights in order to make the best decisions and keep stakeholders informed about risk trends.
Reporting is also a good practice to help you take preventative action before risks elevate past your organization’s risk appetite.
This list does not intend to be exhaustive, so let us know what other reports and KPI’s do you use.
To learn more about how ThirdPartyTrust can help you streamline your third-party risk assessment and monitoring process, request your free trial now: