Manage vendors with ease and confidence
Using a third-party vendor naturally subjects an institution to risk outside its control. That’s why FFIEC standards for vendor management have become a significant part of the IT regulatory examination. Scout manages the vendor environment in much the same way it tracks your internal risk activity and FFIEC information. Use Scout to:
- Rank vendor criticality, confidentially and performance.
- Schedule and be reminded of due diligence reviews based on identified risks and FFIEC guidelines.
- Attach supporting documents.
Scout makes it easy. In fact, what was once a long, cumbersome process takes just minutes. Plus, Scout date stamps everything and shows who is responsible for every single activity.
Asking the Right Questions vs. Following a Checklist
Vendor management has become a significant part of the annual regulatory examination. Although outsourcing is common in the financial services industry—to lower costs and improve the quality of specialized services—using a third-party vendor naturally subjects an institution to risk outside its control. Moreover, outsourcing IT services does not remove an institution from liability should vendors fail to meet information security requirements. An effective vendor management program protects an institution by ensuring its vendors are adhering to all applicable compliance requirements.
Don’t Sweat the Small Stuff
Vendor management can seem like a very tall order, especially when you consider that many banks and credit unions work with over 100 outside vendors. However, many institutions make it harder than it actually is by taking a mechanical, checklist approach to vendor management without considering the actual risks particular vendors may pose to customer information and data systems. They collect too much information on too many vendors and waste a staggering amount of time without ever really tackling the central issue of vendor management—protecting your institution from vendor-related events that can lead to loss of revenue, loss of service or damage to your reputation, or even shut your operations down.
The regulations say you only have to look at vendors who have access to your customer information and transaction processing systems and potentially pose critical risks. For most institutions, that’s usually no more than a dozen vendors. As you rank vendor risks, if the risks they pose are low, stop right there. You don’t really need to collect additional information on them or monitor them on an on-going basis. True, examiners will expect you to show that you made some effort to evaluate all of your vendors, but they’ll only expect you to focus on the dozen or so vendors who pose critical risks.
Look At the Right Things
The FFIEC lists 12 broad areas in its vendor due diligence guidance. Many institutions incorporate these 12 areas into their policies, dutifully collect the relevant information, and think they’ve got all the bases covered.
In reality, what they have is a policy that may satisfy examiners, but it doesn’t provide real and meaningful protection. Number one, they’ve failed to ask the right questions about the risks that each vendor risk may pose to the organization. Number two, they apply all of these 12 areas to all vendors, regardless of whether they make sense in a particular vendor’s case. For some vendors you may need to look at no more than three or four areas.
Report the Right Way
When it comes to reporting risk assessment and mitigation activities to boards of directors, one rule of thumb is: Shorter is better. Don’t burden boards with eye-glazing spreadsheets and page after page of lists. Instead, provide them with a short summary—one page can suffice—of how you’ve been maintaining your vendor due diligence program. Focus on only the 12 or so vendors who pose critical risks to your institution. Show them that:
- You have a process in place;
- You’ve reviewed all vendors;
- You’ve identified the vendors who pose critical risks; and
- You have a plan to mitigate these risks.
Read our board reporting advice for more guidelines.