Thursday, May 28, 2020

Scaling your Mortgage Company's Vendor Risk Management Program: When and How

By Branan Cooper
May 19, 2019

Branan Cooper
Vendor Risk Management

BrananCooperBranan Cooper is Chief Risk Officer with Venminder, a third-party risk management solutions firm. He has more than 25 years of experience in the financial services industry with a focus on management of internal processes and controls, most notably in third-party risk and operational compliance.

You've got your hands full. Your third-party risk management team is struggling to keep up with the volume of work, more so than ever now, as there is such a regulatory emphasis on the ongoing monitoring nature or lifecycle approach to vendor risk management.

Due Diligence and Ongoing Monitoring Tip Over First
Typically, it's the due diligence function or the ongoing monitoring function that reach maximum capacity first, since those are the ones that are inherently date and volume driven and require precision and discipline. Get ahead of this by keeping tabs on your team's workloads to give you a good idea well before it becomes demoralizing or frustrating. A well-timed and professional approach to senior management can make all the difference.

Scaling Your Program: When Is It Time?
There are usually some good early warning indicators when it's time to scale your program, such as everyone on the team is juggling responsibilities constantly, people begin to skip meetings--maybe even lunches--and deadlines are precariously close or even missed. Something has got to give.

There are several initial steps you can take to scale. We recommend the following five ways:

1. Look for ways of creating efficiencies in your program. Can people cross-train to pick up a colleague's work? Can arbitrary deadlines be reset?

2. Consider incentives such as offering overtime to the hourly staff.

3. Determine if you need to outsource some activities. In particular, you may need to consider outsourcing those activities that require true expertise, such as SOC analysis or business continuity plan review.

4. Understand where the focus is. If you're engaging in a new line of business, verify the right people are involved and understand it.

5. Grow your team as needed. If you've reached your limit on all of these ideas, it's time to work with senior management and the board to grow the team.

When considering adding to your team, whether you do that internally or by outsourcing to third party experts outside the company, make sure you hire the best qualified candidate. This will be hopefully someone with experience in the specified discipline you need.

As a quick tip, I always recommend starting with LinkedIn and the various risk management forums on that social media platform to recruit qualified candidates.

Third-party risk management often takes a team. While most companies are devoting less than five full-time employees to the function, according to Venminder's industry survey, it will continue to grow as regulatory expectations increase (

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA Insights welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at; or Michael Tucker, editorial manager, at

Share this article