3. How will we identify and remediate third-party issues?
Many banks struggle with third-party issue identification and remediation. As you review and analyze third-party due diligence, you should identify control gaps and assign a severity to quantify the risk associated with each gap. Your organization should have remediation timelines in place so you can address and correct issues based on their severity.
To achieve consistency in terms of issue remediation, you should have a remediation policy in place that assigns roles and responsibilities to the various contributors in your TPRM program. Traditionally, business relationship owners drive the remediation process with the third party, then subject-matter experts confirm the fixes. Having a centralized repository for tracking issues, remediation plans, and their due dates helps unify the different parties involved in the process.
Once your organization has centralized and documented activities related to third-party issues and remediation, you can start reporting those activities to the board. When the board understands the issues that might exist with critical vendors, they can make better decisions.