Policy, Program and Procedures

Good morning everyone!

I'm rolling out a risk program for my firm and will need to alert our vendors that we will be reviewing them for risk. I need to send out a communication to them for awareness. Does anyone have a sample email to alert your supply base of the introduction of a risk program? To my knowledge we do not have risk measures in any of our Agreements today. I will also need a similar communication to be shared with our business leads. Thanks!

Here is one of the templates we use that might be helpful.

Hello XXXXX,

My name is XXXXX and I am the Vendor Manager for XXXXX. I understand you are our contact person for Vendor Name.

In order to remain compliant with our regulators, we are required to perform periodic due-diligence reviews of our service providers.  To help me complete this process, I would be grateful if you would send me a copy of your most recent Due Diligence Package. Please be sure to include a copy of the following items:

• Disaster Recover/Business Continuity plan.
• Current Financials.S
• SSAE 16 or SOC report.  If you don't have a SSAE 16 or SOC report, then please provide the most recent audit report of your Information Technology security measures and testing. 
• Current Certificate (or Memorandum) of Insurance.
• Certificate of Status from Secretary of State. 

Please email the documents to me at XXXXX. I am including a link for secure mail. 

Thank you for taking the time to compile this information for us.  If you have any questions, feel free to contact me via email, or by phone at (XXX) XXX-XXXX.

​

Click here to send me a document or file securely.

Sincerely,

Signature

Subject: Rollout of New Risk Assessment Program

Dear Team,

I hope you are doing well.

In our ongoing effort to fortify [Your Company's Name] against potential vulnerabilities and to ensure the sustainability of our operations, I'm pleased to announce the rollout of our new Risk Assessment Program.

This initiative will involve comprehensive reviews of our supply base and other integral operations to pinpoint and address potential risks. Given that our current agreements do not include specific risk measures, there might be a need for future modifications and updates in line with the findings of the assessment.

I urge everyone to familiarize themselves with the program's objectives and mechanisms. Your active participation, insights, and feedback will be invaluable in making this a success.

A dedicated session will be arranged soon to discuss the program in detail. In the meantime, if you have any questions or suggestions, please feel free to reach out.

Thank you for your continued dedication and hard work.

Best regards,

[Your Name] [Your Position] [Your Company's Name]

This is very helpful, thank you so much!

These are good discussions for the communication, but if I were you, I would take a look at the vendors you have and start with the most critical. First review your agreements with these third parties- do you have right to audit clauses in your existing contracts? Because if you don't, you may run into headaches with some third parties who have no contractual obligation to provide this to you. You may want to send an amendment to any agreements that do not contain the right to audit clause with the email letting them know that you will be auditing them. I am just trying to help you with that suggestion so you are prepared for that outcome with some vendors.  Good Luck! 

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
Cenlar FSB

------------------------------

I agree with starting with your critical and high risk third parties. Most third parties know that they are subject to risk management and are willing participants in the process. If they push back, simply tell them that as a third-party resource, not providing the requested information is a red flag that will need to be assessed by your organization as to future use of the third-party. In all honesty, I have found little resistance to a third-party not providing the requested information. From time to time, they may disagree on something specific that you are asking for, but getting on the phone and discussing typically results in a solution that is good for both organizations.

Anna,

Some great recommendations here!  I think the majority of your third parties will understand that risk assessments are a part of business and will be good partners in getting you what you need.  In my experience, a small minority will fight you about providing suitable documentation.  If you are a regulated company that requires third-party oversight, definitely leverage that to help get what you need.  I would caution against telling them non-compliance could potentially affect future business, and leave that conversation to the person(s) in your company that own the relationship with that third party.  

The conversation with your business partners about the program can sometimes be a much harder conversation.  Many times it can be seen as a hindrance, especially at onboarding.  It'll take some more effort to explain to them why it's important and build that understanding.  I would consider trying to put together some sort of training or a roadshow to meet with as many of your business partners as possible to explain the process and it's importance.  This might be even more important if you're not currently working with a lot of these folks now.  Getting face-to-face (even if virtually) to explain a process can go a long way in building support and understanding for what you're doing and trying to accomplish.  Getting the business on your side will be a huge benefit if you do end up dealing with any difficult third parties as well.  

Good luck!  It's an exciting time getting a new program started and rolling!