You knew the next supervisory exam was right around the corner and like most credit unions, this was the wake-up call to get your vendor management program up to date. It’s been almost 18 months since someone looked at what due diligence you have and now you are desperately reaching out to your critical vendors to update the due diligence.
Prepare better vendor policies
What’s wrong with this is self-evident. Most credit unions have not adopted a process to effectively manage vendor relationships which frequently causes third party criticism and leaves the credit union in the dark on potentially negative events impacting these relationships. In accordance with FFIEC guidelines, the process should be continuous and dynamic, well documented, and have a reporting function that is meaningful. That is what will keep credit unions one step ahead of this responsibility to begin with.
As with most operational requirements driven by regulation, it all starts with a policy. As with most policies, it should outline who is responsible for managing the program, describe the requirements of the processes to complete oversight and assessment, and finally—and most importantly—inject vendor management into the procurement process.
The policy should outline what and who is included in the contract review, what vendor due diligence will be reviewed, and require a risk assessment prior to inking a contract. And the policy should outline the reporting and escalation requirements based upon the ongoing review of due diligence supplied by the vendor.
Vet all possible vendors thoroughly
A solid vendor management program is shouldered by the assessment process. Generally, if credit unions get criticized on the strength of the program it is because they have not documented and explained the process well. It starts with the selection process and almost always includes your accounts payable personnel.
However, not all vendors on the list should be assessed. The policy should dictate the variable taken into consideration for a vendor to be considered, and if the credit union has more than 100 on average, you have probably not done a thorough scrub. These variables would include access to or storage of non-public member data, contract value, access to facility or network infrastructure, as well as a multitude of other potential risks frequently found in risk assessments.
The assessment process should be well documented and include the methodology used to assess vendors. Not only will you be evaluating the risks found in the selection process, but you should also document the risks you are evaluating and attempting to control. Those risks include reputational, financial, compliance and legal, strategic, transactional, operational, and concentration risk.
The goal is to understand the inherent risks, consider loss mitigation controls, and finally determine the overall residual risk associated with the relationship. Loss mitigation controls come in many forms and always include the amount of ongoing monitoring you will be performing moving forward and contact review.
It is imperative that the information technology department be at the table for the assessment. IT questions are frequently asked during the assessment process and they themselves go through annual audits and exams revolving around technology assessments of vendor relationships. Questions surrounding cloud-based applications, encryption levels, types of member information exposed to the vendor, and complimentary user access controls found in contracts are always included in the process.
Monitoring and reporting
Monitoring and reporting are also critical components. Policy and process should dictate who is responsible for monitoring both qualitative and quantitative information. The individuals should have experience in understanding how to review control audits, financial statements, disaster recovery policies and tests, insurance, and licensure with state agencies and regulatory bodies to name a few.
Also, monitoring does contain the review of provisions of the contract including any requirements for use of the vendor’s product. Generally, monitoring is this first time a tool should be considered to document the work being performed and alert you when due diligence expires, as well as give you an electronic pallet to document your reviews.
Reporting accompanies monitoring and should also contain escalation procedures in the event significant negative events are uncovered or the vendor becomes unresponsive to requests for ongoing due diligence. Policy and procedures should address when an exit strategy may be necessary. Care should be taken in understanding the audiences digesting the findings. These audiences include senior management, third party auditors, regulators, and board of directors. Reporting to senior team members should be continuous with a deeper dive. Other reporting may be during supervisory exams and annual assessments provided to board of directors for which an overview of the program and risk assessment is all that is necessary.
Prepare a full assessment
Finally, a full assessment should be completed on all vendors once a year and reported to senior management. The assessment is a living and breathing document. It is never considered one and done and must be appended with each new vendor addition or when jettisoning an existing relationship.
However, criticality can migrate over time. Additional services can be purchased from a vendor which would change the risk level of the vendor. Conversely, vendors may be replaced with another but residual risks remain that require monitoring but at a lower level than when the vendor was the primary provider.
Vendor management is not a rocket science. But you also can’t get by with simply finding a tool and relying on it to do all the work. At the core of vendor management is a process that requires a well thought out policy, program, and strategy to execute the tasks associated with managing and mitigating the risks identified. Tools do offer efficiencies in alerting, reporting, and serving as a central archival platform for due diligence received and overview of reviews. However, the tool is less than 10% of the overarching program and should not be considered the basis for a sound system.