Policy, Program and Procedures

 View Only
  • 1.  Creating a Business Case

    Posted 09-24-2019 01:43 PM

    I would like to start a formal vendor risk management program in my organization, but first I need to get buy-in. I need help building a business case. If anyone has done this, can you help?

    Thanks, 

    Sandra



  • 2.  RE: Creating a Business Case

    Posted 09-24-2019 02:47 PM
    Certainly, I'd start by evaluating how many people and how much budget you need - which may be tied directly to the number of actively managed third parties. You're welcome to review our white paper on the State of Third Party Risk Management, which shows how much, among other survey results, other institutions have committed in FTE and additional expenses. Please make sure you think through all of the different facets of TPRM and how much time or many people may be needed for adequate coverage.  Also from a business case perspective, an ounce of prevention is worth a pound of cure - in other words, it's far better to comply with the regulatory guidance than to have to work your way out of an examination set of findings or enforcement action. Third Party Risk Management is currently a real hot button type of issue, so that should also provide additional meat for your business case. I'd welcome input from others in the community on additional steps or convincing arguments that they have seen work well. Thanks!