According to World Compliance, "Vendor due diligence is an analysis and verification tool designed to provide an organization the assurance that a service provider meets the standards necessary to fulfill their business needs." Companies now need to have an effective vendor management program in place, and those cumbersome, time-consuming spreadsheets just aren't going to cut it anymore. Especially for financial institutions, the product needs to provide appropriate oversight and risk management of all third-party relationships. Third-party relationships are even more important to monitor when the party has access to sensitive information or who is deemed to be mission critical. Effective vendor management programs protect your institution by ensuring your vendors are adhering to all applicable compliance requirements, so when auditors take a close look at not only your company, but the company you keep, you'll have nothing to worry about.
Don't get blindsided - there are 6 easy ways to know you have the right vendor management program for your institution. An effective risk management process has a sort of life cycle that we've made into the ultimate checklist to building your program.
1. DEVELOP A PLAN
First, you'll need a plan of action. Chances are you already have a security officer or compliance/risk manager that is in charge of managing third-party relationships. Make sure that person or committee has a clear understanding of the vendor and risk management process for your institution. Assigning clear roles and responsibilities for managing third-party relationships ensures accountability, and integrating the bank’s third-party risk management process with a plan enables continuous oversight of the risk management process. This would often involve collecting the list of vendors and the pertinent information needed for each (depending on whether or not they involve critical activities), and outlining your institution's strategy, risks of each vendor, and detail how you select and monitor third party vendors. Then you'll need to find a product or program that can handle the amount of information and can easily organize it for you. For example, our program, VendorSolutions.org, has a The Vendors Tab allows you to efficiently manage third party vendors relationships, upload contracts, set due dates and more.
2. DO YOUR DUE DILIGENCE
Selecting vendors is s hard enough process, with contracts to negotiate, and relationships to maintain. Now that you have a vendor management tool that's keeping your vendors in one place, you'll need to upload all the documents that are involved with each one. This may be as simple as uploading the contract and insurance, or more involved with SSAE16, security and disaster policies too. This may be the time you review your contracts and make sure they clearly define the expectations and responsibilities of the third party. You know you reviewed all those documents to understand all the risks involved before signing the contract - now it's time to keep them all in a safe and handy place in your vendor management tool. VendorSolutions.org, has a convenient Vendor Solutions Dashboard that provides information about the health of your third party vendors every time you sign in. You can easily see what documents or forms are missing and check on vendors that may have a renewal coming up. You can even send an email directly to your vendors to request missing documents or information!
3. PULL REPORTS
Congratulations - you have all your vendors and their documents in your vendor management tool! We know how long that can take- it's a time-consuming process for some, but now you have a solid vendor management plan in place for potential audits or security checks. If you ever do need to pull specific information, for internal or external use, get familiar with your tool's reporting capabilities. If you don't know how the system works now, you'll fumble through pulling a report when you really need it. VendorSolutions.org gives you the ability to pull reports based on contract expiration dates, review dates, risk scores, decision makers, renewal dates and even more advanced filtering options. Here at United Solutions, we strive to always make our products perform the best for you, so if you're having trouble pulling specific data, you can always ask us to help you refine the search. This makes Vendor Solutions a better product for everyone!
4. KEEP MONITORING
You've uploaded all your vendors, the documents, and know how to pull reports. You're almost done with the checklist! Now you want to make sure you're keeping track of not only all your third-party relationships, but your own due diligence and business continuity plans. Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the bank’s ability to manage risk of the third-party relationship - and that includes your own risk management plans. In VendorSolutions.org, there is a Shared Vendor Repository so you can actually check to see if anyone has performed due diligence on any of your third party vendors. Sharing information is a good thing.
5. REVIEW RISK
Proper documentation and reporting facilitates oversight, accountability, monitoring, and risk management associated with third-party relationships. Conducting periodic independent reviews of the risk management process enables management to assess whether the process aligns with the bank’s strategy and effectively manages risk posed by third-party relationships.
According to the U.S. Department of Treasury, Office of the Comptroller of the Currency (very important authority) auditors and other parties checking on your vendors obviously want more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities—significant financial functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology). You're in luck - VendorSolutions.org makes it VERY easy for you to see the risk involved with each vendor on an easy to read, colored scale. Each vendor is given a risk score using an algorithm that calculates based on vendor importance, information provided and your own due diligence. Green means almost no risk at all because you have all the right documentation or it is a low-risk vendor, yellow means okay or moderate risk because you may have information missing or they do pose some sort of risk, and red means you better check that vendor now to see why they're so full of risk!
6. BE RESILIENT
Lastly, make sure you know what you're going to do in the event a vendor terminates their relationship with you (or you terminate the relationship with them!) for whatever reason. Can you bring the activities in-house? Is it a temporary arrangement that just discontinues at a certain date? Do you need to review the contract and find a new vendor? You'll want to be able to assess the plan of action with time- not the day before your contract expires - if you can help it. VendorSolutions.org has amazing alerts and notices that can easily alert you months in advance of contracts expiring and needing review. The alerts can go out to any member of your team, and repeat until action has taken place. You can also set notices for incomplete vendor profiles, and flagged vendors that you want to further review.
For more information about our hosted, automated due diligence program, please visit VendorSolutions.org. It meets all compliance standards and is backed by compliance industry experts. Our site is easy to use, low cost, efficient, and delivers real-time risk management. Now make your list and check it twice - and let us know in the comments below how your vendor management program is doing!
