Policy Management 101


Posted on: August 17, 2021

AdobeStock_278307608-1024x683Ask yourself one question: when is the last time I updated my third-party risk management policy and presented it to the board for approval? Fortunately, industry surveys consistently show that about 2/3 of institutions make it an annual practice.

However, for the 1/3 that don’t, here are some helpful tips and notes:

  1. The scrutiny of third-party risk practices has never been greater.
  2. The scrutiny is going to get even more stringent in a post-COVID world since so many institutions had to rely on aggressive outsourcing.
  3. Your third-party risk policy is every bit as important as any other policy.
  4. The policy should be relatively brief but appropriately detailed.
  5. The policy should reflect the expectations of the board and be instructive to senior management.
  6. The policy should be actively reviewed by the board and reflected in meeting minutes – not just in a rubber-stamp exercise.
  7. Regulatory guidance should be cited, up-to-date, and relevant to the practices and expectations of your prudential regulator.
  8. Practices outlined in the policy should be regularly audited (trust me, if your business practices are tweaked and pretty soon policy doesn’t meet work product and vice versa, you’ve got an audit finding – or worse).
  9. The policy should be consistent in the level of detail, wording, and description as your other policies.
  10. The policy must be accurate – so many times, vague wording or confusing expectations cause real problems.

One of the easiest things to do is to build out a construct of different documents: a policy (board level instruction), a program (senior management and business unit level), and procedures (a.k.a. desktop procedures). The policy is ideally only a few pages long, the program is a couple of dozen pages, and the procedures could be hundreds of pages. The real devil is in the details of keeping all of these “synced up” to ensure the work product matches the design. Putting them all together in practice, keeping them updated, and then having internal risk assessment software test them will buy you a great deal of assurance that you have a solid set of documents and, more importantly, a robust set of practices.

Having a well-constructed set of guidelines will save you every time. When a pattern doesn’t meet practice or you’ve allowed your policy to become outdated and cite the wrong outdated guidance, you’ve created a loose thread that is easy to pull. These notes and easy tips will help you recover from that and allow you to have a set of documents that protect your institution and consumers.