Vendors—we all need them! Vendor Management is Key to Staying in Business – Any Business! Vendor Management has become a regulatory hot button for community bank and credit union regulators. But vendor management applies to any business—for profit or nonprofit, private or public organizations, up to the government. Every company utilizes vendors in order to fulfill their mission as an organization and provide their clients what they need. This is because no one can work alone and not depend on anyone else and not one person or company can do it all. We all depend on each other to survive—locally and globally.
Vendors have the huge responsibility to provide their clients what they promised—to deliver on their brand. Each company also has the responsibility to vet and do their due diligence on each vendor they partner with. Every function a company outsources to a vendor is a key factor in the overall success of that company. Therefore, each vendor has to be chosen carefully.
In community banking and credit unions, vendor management is part of the IT security program, which in turn is part of the enterprise risk management (ERM) program. At the same time, ERM should be integrated into the bank’s overall strategic plan. Banks need to have strategies to mitigate all the risks that come from every area and vendor management is one of them. In today’s business environment, however, every company (regardless of what they do) needs to have a vendor management program in place.
The simplest way to establish a vendor management program is to start with a vendor risk assessment. Below are three key components of a vendor risk assessment:
Criticality of vendor to the organization: How critical is this vendor to your operations? Can they be easily replaced? Risk rate each vendor 1 to 5, where 5 is the most critical vendor. Example: your core system vendor is a level 5 in criticality because a community bank or credit union cannot run without it. Your shredding company, on the other hand, is a level 1 in criticality because they can easily be replaced.
Confidentiality of information: What type of data does this vendor have access to (public, non-public or confidential)? What are the consequences if the information they have gets out? Your core system is a level 5 in confidentiality because they have access to all your customer confidential data. Your shredding company is also a level 5 in confidentiality because they have access to hard copy customer confidential data.
Threat/Vulnerability of vendor: Is this vendor financially stable? What are the chances of this vendor existing in the future? If not, do you have a backup vendor to perform this function? The best example I have here is the accounts payable vendor we used at one of my previous employers. The company suffered an irreparable computer system crash to the point of shutting down the company! They gave us 30 days to figure out how we would pay our bills. Thankfully, we did have a backup company and switched all our vendors/bills to them. However, the pain we went through could have been avoided if we knew this company’s financial state and their disaster recovery plan (or lack of, in this case).
Once you complete a vendor risk assessment, the next steps are to establish mitigating factors, recognizing the residual risk of each vendor, and have a backup plan for each one. The Board of Directors should approve your vendor management program as part of the overall IT security program and ERM and it should be documented in the board meeting minutes. This shows the regulators and auditors you are serious about knowing your vendors and are aware of the risks each vendor poses to your organization. Do not wait until you have a vendor crisis or worse, until your data is out and you face a huge reputation risk. Having a solid vendor management program is key to the success of a community bank or credit union—or any business!