Vendor Management and Risk go hand-in-hand. The use of third party vendors is fraught with risk. Failure to manage these risks can expose the Institution to regulatory action, financial loss, litigation, and reputation damage. It may even impair an institution’s ability to establish new relationships or service existing relationships. How does an institution come out victorious in the vendor management race?
There is good news. You can manage this risk by understanding the life cycle of vendor management and ensuring your board and management support your efforts. The steps included in the life cycle of vendor management are:
- Determine needs/wants
- Vendor due diligence and selection
- Contract negotiations
- Monitor relationship
- Reporting process
Today, I want to focus on monitoring the relationship. When monitoring your third party vendor relationships, you need to understand the products and services that those third-party vendors provide for you, how they enhance your customer/member service and the various risks that are involved with the service. One way to accomplish this is to review and update the risk assessment during the relationship period. Risk management of the third-party vendor process is dependent upon the criticality of the vendor to your institution as well as the risk rating of the vendor. Both the criticality and the risk rating will assist in determining the frequency of the monitoring and depth of the risk assessment review.
When reviewing and updating the risk assessment, consider the following, keeping in mind whether the vendor is a critical, major or noncritical vendor:
- The overall effectiveness of the 3rd party relationship
- The consistency of the relationship with the institution’s strategic goals
- Licensing or registrations
- Vendor’s financial condition
- The adequacy of the 3rd party’s insurance coverage
- Vendor audit reports as well as any needed corrective actions
- Vendor’s internal controls and security issues
- Compliance with applicable laws, rules and regulations
- Disaster recovery and contingency planning and testing
- Whether there are any changes in critical 3rd party personnel
- Reports relating to the 3rd party’s performance in the context of contractual requirements and performance standards, with appropriate follow-up as needed
- Adequacy of any training provided to employees of the institution and the 3rd party
Ensure you have dedicated sufficient, knowledgeable staff to conduct the monitoring and update the risk assessment. Staff should understand the type of service that is being provided along with the types of risks that could arise when using that service. When issues arise, the staff should act quickly to resolve the issues, document the results and promptly report those findings to the board and/or executive management.
One area of consideration requiring additional focus is monitoring the vendor’s business continuity plan and incident response management. This is especially relevant in the COVID-19 pandemic environment today. Ensure you document significant detail in regards to the vendor’s plan and that you understand how it integrates with and relates to your institution’s business continuity as well. In 2019 the FDIC found there to be a lack of detail regarding “the contract parties’ respective rights and responsibilities for business continuity and incident response.”
Other relationships that you don’t want to overlook are those with cloud computing vendors. Ensure that staff understands the services provided with cloud computing involve specific technical controls that may operate differently than in more traditional network environments.
Do you need additional assistance as you run the Vendor Management race? Temenos Compliance Advisory Services offers a VMS product that will assist you in achieving your victory over vendor management.
Join us September 23rd for Synergy, a Temenos Virtual Event including a Live Q&A Session with the Temenos Compliance Advisory Team covering topics such as; TRID updates, mortgage servicing challenges, deposit changes for 2020 (Reg C, Remittance Transfers (Red E), Reg D), Flood, and the Privacy Draft Bill in the House and how to plan for the future.
If your organization is looking to expand its digital footprint and you have questions about how it impacts your compliance management program, look no further than Temenos Compliance Services. We currently have digital onboarding quick compliance guides that can help. Plus as a customer, you can ask unlimited compliance-related questions to our seasoned staff of experts.