by Nikolay Filipets
Whenever I read about TPRM best practices or attend a webinar about Third-Party Risk Management, I always hear tons and tons of information about supplier onboarding, risk identification, process improvement, or technology implementation. I also read lots about areas of risk that are very prominent which need to be treated or new areas of the risk that need to be looked at. While these are very important areas to consider, I rarely hear people talk about good ’ole risk management tools such as an ongoing monitoring scorecard.
An ongoing monitoring scorecard can often be perceived as low value-add and a high effort activity, hence I always recommend carefully considering inclusion scope for this activity. Usually, your critically risk-rated third parties would be the first in line to be rolled into ongoing monitoring scorecard tracking.
So what does a good scorecard includes? It also might be a common misconception that a scorecard is all about vendor performance (which it is) but I would also argue the ongoing monitoring scorecard is also about maintaining a comprehensive view and risk profile of a third party, such as:
Keeping track of timely risk reassessment of the third party - to ensure risk profile is assessed and reviewed on a set cadence.
Collecting updated third-party reports and documentation, such as SOC reports, certificate of insurance, or ownership/affiliation information.
Keeping track of SLA/KPI - to ensure terms outlined between your company and a third party are being adhered to.
Monitoring a third party’s financial health - trust me you don't want to wake up one morning and see your supplier announce bankruptcy.
Tracking regular meetings with the third party - these meetings must be happening for critically risk-rated suppliers to ensure that the relationship owners keep their pulse on it.
Maintaining exit strategy assessment - becomes very crucial to the critically risk-rated third parties. This activity ensures a plan B in case if a third party experiences any unplanned or extreme circumstance and cannot provide services.
Tracking overall relationship/sentiment score on how well or not well the relationship is developing with the third party
Love it or hate it: Ongoing monitoring is a necessary evil that will keep your third-party risk management program in good shape and most likely in compliance with various regulatory requirements. While some of the items mentioned above may not be an obligatory activity to manage, I believe it should be considered when putting together a comprehensive ongoing monitoring scorecard to track vendor risk and performance.
If you have any ideas, thoughts, or questions about this topic, I will be happy to hear you out; please contact me at filipets888@gmail.com.
Comments