Vendor Management Best Practices

Nine Simple Steps to Vendor Management

Using a third-party vendor naturally subjects an institution to risks outside its control.  From a data breach to an unexpected shutdown, banks and credit unions are subject to a variety of vendor-related events that could lead to loss of revenue, loss of service or reputation damage.

That’s why FFIEC standards for vendor management have become a significant part of regulatory examinations.  Examiners are putting a stronger focus on the guidelines, pushing organizations to better prepare themselves for the unexpected.

Notably, outsourcing does not remove an institution from liability should vendors fail to meet information security requirements.  An effective vendor management program protects an institution by ensuring its vendors are making all necessary efforts to safeguard information.

Don’t Sweat the Small Stuff

Vendor management can seem like a tall order, especially when you consider that many banks and credit unions work with more than 100 outside vendors.  But oftentimes, institutions make the process harder than it actually is by tackling too many vendor reviews and collecting too much information.

The regulations ask you to look at vendors who have access to customer information or processing systems and those that potentially pose critical risks.  For most institutions, that’s usually no more than a dozen vendors.  Focus your attention there.  Examiners only expect you to concentrate on those relationships that pose critical risks.

Step-by-Step

We’ve analyzed the FFIEC vendor due diligence guidelines and consulted examiners to break the process down into nine simple steps.  Here’s how to get started…

Step 1:  Start with a list of your vendors.

List anyone you’re doing business with—anyone you outsource to in some function, whether it’s mowing the lawn, cleaning, credit card processing, public relations, or IT.

Step 2:  Rate each vendor on criticality

Ask yourself, ‘If this vendor stops providing this service tomorrow, what will it do to my organization.’  If you’ll have to shut your doors or stop providing a service, the vendor is critical.  If you might not even notice for a while (gosh that grass is getting long), then that’s a low criticality vendor.

Step 3:  Rate each vendor on confidentiality

Identify what each vendor has access to in terms of customer information—account numbers, names, addresses, account info.  As with criticality, rank this access high, medium or low.

Step 4:  Sort the vendors by rank

Sort your list of vendors by both criticality and confidentiality.  A high-ranking in either category means you need to pay attention to that vendor.  Naturally, 12 to 20 vendors will float to the top in either category.  If you have more than two dozen in either group, you’ve scored them too heavily.

Step 5:  Normalize your rankings

This is a cross check of sorts.  Take a look at all your rankings collectively and make sure they make sense as a group.  Is it logical that your high risk vendors are really more critical than the ones below?  You’ll often find minor adjustments when you take a high level overview.

Step 6:  Identify risks for high-ranking vendors

According to the regulations, you need to rate all your vendors.  But once that’s done, you only need to focus on the high criticality and high confidentiality providers.  Remember these should be relatively short lists.

Identify what risk each of the vendors may pose and what controls they should have in place to temper those risks.  For example:

• This vendor is critical to my operations.  What if there’s a fire, flood, or power outage?  Do they have a disaster recovery plan?  A business continuity plan?
• What happens if they make an error? Do they have liability insurance?
• They have access to customer information.  What security measures are they taking?  What is their response plan if a data breach occurs?  Does it work with my response plan?

Identify the controls (i.e. risk mitigation efforts) they should have in place to a) secure information and b) minimize the impact on your organization.

Step 7:  Begin your due diligence

Start collecting evidence of those control and risk mitigation processes.  Create a file.  You want to verify the vendor has a plan in place.  See if it meshes with your plan and sounds reasonable.  Get a copy of their disaster recovery plan and liability policy.  Ask for pertinent staff bios to determine if they have qualified personnel.  Check references and be sure other clients report satisfaction.

Step 8:  Request improvements or switch vendors

If the vendor doesn’t have adequate controls in place, you need to have a dialogue and convince them to meet your standards.  If you can’t find resolution, you may need to select a different vendor.

Step 9:  Reevaluate

Annually, go through your list of vendors and decide if their risk rating needs to be changed.  Also, reevaluate your high risk vendors to make sure their controls are appropriate for the current risk environment.  Has your relationship changed in the last year?  Have security threats evolved?  Are their certifications up-to-date and contracts current?  Continue to manage your risks and relationships.

Prepare for the Unexpected

The vendor management process helps your organization plan for the unexpected.  As you identify the risks, you need to make sure controls and protocols are in place so that should something happen, neither you nor your vendor has a disastrous outcome.

Understand the relationship up front, and make plans to deal with any damaging events.  The last thing you want to do in a crisis is spend time figuring out what to do next.  And when it comes to public relations, any crisis is better contained when you can show that due diligence was both thorough and thoughtful.  Simply put, you don’t want to fail because you forgot to plan.

Evaluating Specialist Providers

You may feel overwhelmed when it comes to evaluating an IT firm, credit card processor or other complex service provider.  Don’t be intimidated.

The examiners don’t expect Herculean review efforts.  You don’t need to send in your own security testing team.  What you do need is assurance the vendor is following industry best practices.

When an examiner asks why you feel comfortable with a certain vendor, provide a rational argument and documentation demonstrating you’ve done your due diligence.

You might request the following:

• SAS 70 audit report (credit card processors)
• PCI compliance (credit card processors)
• Third party certifications
• Staff experience & education
• Customer recommendations
• Industry awards

You don’t have to understand the intricacies of a vendor’s business.  You can secure reasonable proof of quality by relying on third-party certifications and other logical evaluation measures.

Scout for Vendor Management

Scout manages the vendor environment in much the same way it tracks your organization’s risk assessment process.  Use Scout to:

• Rank vendor criticality, confidentially and performance.
• Schedule and be reminded of due diligence reviews based on identified risks and FFIEC guidelines.
• Attach supporting documents.

Right from initial use, Scout automates and simplifies vendor management.  It guides users through the process, including prompts to request relevant information and conduct reviews.

Scout’s vendor management module was built using FFIEC guidance and includes the agency’s 12 recommended due diligence considerations.  Institutions can customize the application, adding their own due diligence criteria.

Users report that consistency and organization improve dramatically with Scout.  It helps institutions set consistent review criteria and provides a central storage system for contracts, insurance policies and other essential documentation.

Scout is a risk assessment dashboard that also includes modules for GBLA, Red Flags, and BSA.

Advertisement