Home » Publications & Resources » Article Library » 2009-10 » Developing a Vendor Management Program for Today’s Challenging Marketplace

Publications & Resources

July/August 2009
Focus: Risk Management

 

Developing a Vendor Management Program for Today’s Challenging Marketplace

By Linnea Solem

Vendor Management Basics

Almost every banking organization uses third-party vendors today to help accomplish their goals and objectives cost effectively. The presence of third-party vendors within financial institutions began with technology service providers. Now, outsourcing touches nearly all aspects of a financial institution’s business, from branch operations to marketing and web management.

Although a financial institution may successfully manage outsourced business functions, it has much less control over vendor accountability – particularly when it comes to safeguarding customer information. Your vendor is acting on your behalf, whether the regulatory driver is business continuity, information security, IT operations, Red Flags, or direct marketing. As such, that vendor and its controls need to be integrated into your organization’s internal risk assessment.

Structuring and maintaining an ongoing vendor management program requires integration of multiple regulatory and risk drivers. In today’s market, vendors are a critical part of your overall security and risk assessment. Your organization should not only audit and review vendors objectively, but also look at ways in which the business partnership can help you meet your industry’s risk management expectations.

Beyond Due Diligence

Most vendor management efforts focus on due diligence at vendor selection or during merger and acquisition efforts. However, effective vendor oversight requires ongoing due diligence for existing providers to adjust for changing market and organizational risks.

To ensure effective, consistent oversight, your vendor management policy and governance framework should identify how you will inventory your vendors, the measures you will use to assess the activities they perform, and the risk criteria you will apply to evaluate their controls.

Tips for Success

Effective vendor management does not need to be overly complex, but should be repeatable, adaptable and formalized. For example:

Ensure your risk criteria define the level of oversight. Not all vendors need to follow the same standards. Criteria are based on risks, vendor work function and the data to which the vendor has access. Develop criteria for the kind of oversight required for each vendor function.

Define a frequency for vendor review. Risks change as do your vendors. Establish criteria for when to review your organization’s vendor controls, such as accessibility or reporting. Be able to justify how often you evaluate a vendor and establish trigger events that require an updated vendor review.

Leverage external resources. Request that vendors provide data for compliance documentation. They will likely already have developed packets of information to meet industry needs. Industry organizations have developed shared assessments that create questionnaires and tools that integrate banking regulatory requirements and industry security standards. ISO 27001 is one example. These tools streamline data collection from service providers.

Structure and review compliance documentation. Request independent audit results - a SAS 70 Type II, for example – and additional documentation. Develop a checklist for the documentation that you require annually and the documentation that should be provided upon request.

Conduct lessons-learned reviews. Evaluate your toolset, track results from vendor reviews, and update your vendor management program. Ensure you define and document any exception process to your vendor management program’s standards.

Address contract provisions.  Modify contract provisions as market risks adjust, regulations evolve, or service vendors change. Ensure your organizational roles define responsibilities and keep contracts updated.

Five Vendor Management No-No’s

Avoid these five pitfalls to ensure your vendor management program meets its objectives and audit expectations:

1. Don’t just copy your risk assessment from one regulatory program to another. New requirements may require different types of vendor oversight

2. Don’t just check the box that you received vendor information. Ensure you can demonstrate you reviewed the documentation and found it acceptable based on your policies.

3. Don’t treat all your vendors the same way. Establish risk-based criteria to focus your efforts. Understand which regulations apply to which providers and adjust your program.

4. Don’t rely solely on contract provisions to protect your organization. Ensure you clearly define expectations about your customer information safeguarding policies to ensure your vendor understands its obligations.

5. Changing risks are a fact of life in today’s market. Your vendor management program must adapt to meet your changing needs. Provide feedback to your service provider if you require different documentation. Both of you benefit from having an effective partnership in managing risk on behalf of your customers.

Linnea Solem is director of Business Risk & Privacy Management for Deluxe Corp., an industry leader in helping small businesses and financial institutions better operate, protect and grow their businesses. She can be reached at linnea.solem@deluxe.com. Deluxe is a WIB-endorsed Value & Income Program (VIP) partner.  

---

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.

© 2012 Western Independent Bankers, All Rights Reserved.