Is vendor management keeping you up at night? Are you wondering if the right questions are being asked in order to fully understand and manage your risks? Are you getting what you want/require and have paid for? Are the right people involved in the process? Has it become too complicated and time consuming? If these are some of the questions running through your mind, you are not alone.
The role of technology continues to evolve, and financial institutions continually look to become more efficient by leveraging expertise and doing more with less staff. As a result, institutions place greater reliance on third-party providers in areas such as operations, functions, and business services/products. As this reliance has increased, so too have the complexities and risks associated with many of these relationships. So, what are you to do? For many financial institutions, it means reevaluating the vendor management program and making modifications to keep pace with today’s vendor management challenges.
Regulatory guidelines require your institution to develop and implement a risk-based approach to govern the vendor management process. As such, an effective vendor management process includes a framework to identify, measure, mitigate, monitor, and report risks associated with outsourcing. While most institutions have developed and implemented such a process, the evaluation considerations and expertise of the staff involved may not have evolved with the increased risk and complexity associated with many relationships.
In today’s challenging vendor management environment, many programs fall short in the following areas:
- Identifying and understanding all risks associated with the relationship, including operational and security.
- Ensuring the relationship is in line with your institution’s strategic plan, goals, and risk appetite.
- Performing sufficient due diligence relative to the risk and complexity of the relationship.
- Executing adequate contracts and service level agreements (SLAs).
- Performing effective oversight in order to evaluate the vendor’s performance and identify risk changes in the relationship.
- Involving resources with sufficient expertise in the vendor management process.
AREAS FOR ENHANCEMENT
As you begin to elevate your vendor management process, consider these areas:
- Ongoing monitoring
Risks: The evolving cybersecurity landscape not only has a direct impact on your organization, but it also has an indirect impact through your third-party providers. Therefore, while it is not an easy task, you need to be able to identify and understand the evolving cybersecurity threats and risks of vendor relationships. Because of the complexity of vendor relationships, such as subcontracting, cloud computing, where your data is stored, and the ability to respond to incidents and disruptions, the relationships may represent a challenge to the most experienced and knowledgeable of associates.
Selection: The selection process can be the beginning of an inadequate and ineffective relationship. If the process does not clearly identify your requirements and expectations along with the vendor’s ability to meet them, you will likely not get the benefits you seek. In addition, many financial institutions do not ensure the relationship aligns with identified strategic plans and goals. The extent of the due diligence should be commensurate with the level of risk present with the relationship. Some evaluation considerations include the following:
- Technology use and architecture
- History, experience, and qualifications
- Financial condition
- Internal controls
- Cybersecurity program, including incident response
- Insurance (vendor’s and your institution’s coverage of the service)
- Disaster recovery/business continuity plan
- Legal compliance
- Physical security
Contract: In order to adequately govern the relationship and protect your institution’s interest, you need a strong contract and SLA negotiation and review process. Depending on the risk and complexity of the relationship, you may require legal assistance. Some areas to consider include the following:
- Rights and responsibilities of each party
- Security and confidentiality
- Location, ownership, and format of data – notification requirements if changed
- Internal controls
- Cybersecurity risks and management – including incident response procedures and notification requirements
- Audits – types, frequency, right to receive, right to audit
- Reports – frequency and type
- Business resumption and contingency plans – backups, testing frequency, receipt of test results, ability to participate in test
- Subcontracting – notification requirements, assessments, responsibilities
- Compliance with applicable regulations, laws, and guidance
- Performance standards – minimum requirements, SLA, remedies if not met
- Cost/fee structure
- Dispute resolution
- Limitation of liability
- Termination and default remedies
Ongoing Monitoring: It is challenging to determine whether the vendor is meeting expectations and whether risk changes have occurred, so periodically reevaluating vendor risk can help determine any changes in risk/criticality of the relationship. The ongoing monitoring process should be risk-based relative to the criticality of the service, sensitivity of data, and perceived risk. A more frequent and extensive monitoring process should be in place for high-risk relationships. In addition to performance experience, evaluations may include the following to determine whether the vendor has met and can continue to meet expectations:
- Internal and external audit reports
- Security tests
- Disaster recovery and business continuity plans and test results
- Financial statements
- Compliance with contract and SLA requirements – performance, security, incident response
- Subcontracting and process changes
- Insurance coverage
- Interagency Technology Service Providers’ Report of Examination
Vendor management is not a technology issue–it is an enterprisewide risk management issue. Therefore, you need to continually review and modify the process to meet the ever-changing risks associated with your vendor relationships. To adequately protect your institution from these risks and challenges, it is important to ensure appropriate expertise is involved in the vendor management process.
For further information, refer to the following:
- FFIEC IT Booklet – Outsourcing Technology Services
- FFIEC IT Booklet – Business Continuity Planning;Appendix J: Strengthening the Resilience of Outsourced Technology Service