Third Party Data and Contracts Repository
Building a framework for a third party vendor risk management program.
One of the principal challenges initiating the process to more effectively manage your third parties is the probable dispersion of third party data across the firm. This is exacerbated if there are multiple divisions, departments, countries and if they are stored in multiple data repositories. For effective program management, these sources all need to be assembled into a single integrated operating platform to enable you manage your program effectively. Although you can aggregate the existing internal third party data manually, you should consider how a third party vendor risk management solution may be able to help with aggregating the data:
Does the solution enable you to easily capture the data elements from existing data sources?
Does the functionality of the system have the capability for effective workflow processes to capture the data from internal sources e.g. questionnaires, data entry forms and data entered by the third party itself?
Does the solution allow for the capture of data through integrated feeds from existing external data e.g. third party files on your internal databases, to ensure an easier and more precise transfer from existing systems to your new system?
How flexible are those capabilities at meeting the needs of your data gathering exercise?
Can the aggregated data about the third parties be easily queried, filtered and reported on?
Third party data and contracts repository is only one part of an effective third party risk management program.
Click below to learn more about the other essential elements of a third party vendor risk management framework.
Missing third party data
It is highly probable that you will not have all the data you need from internal sources to conduct your risk assessment on the third parties. You will need to be sure that your platform is capable of gathering data from multiple external data sources.
To learn more about the different external data sources you will need, click here.
Risk scoring and risk assessment
Consistent risk assessment, scoring and classification are foundation activities.
Once you have your initial data about the third party, it is time to assess the risk and assign a risk classification to each vendor or third party. You will need to be methodological in your approach as regulators are expecting to see a robust, well-designed structure.
Third party due diligence
This part of the process requires deeper dives into areas of risk such as IT security, financial stability, corruption
This is accomplished through multiple activities including the use of in-depth questionnaires, the screening of third parties against external databases such as World-Check, Dun and Bradstreet for financial standing and the scheduling and documenting of activities such as on-site visits, phone interviews etc.
Onboarding and terminating third parties
Onboarding of new third parties is a key process for the firm and implementing procedures to ensure that the correct third parties are on-boarded is critical.
It is an important part of your
Oversight, reporting and analytics of third parties
Good oversight delivers better management and program control.
Issue and case management of third parties
A robust solution must be able to handle and help you to resolve your issues and cases.
When you are classifying the risks and conducting due diligence you also need a robust system that can manage those occasions when a supplier or third party does not meet the standards set out in your policy documents.