Do you closely monitor your vendors? Do your vendor risk management practices keep up with the changes in vendor operations? Vendor risks are constantly evolving and banks need to make sure their management programs are evolving with them. This requires taking a closer look at the vendor and how they operate.
It’s important to consider that your high-risk vendors face similar operational, technical and financial challenges as banking institutions. Many are adapting technology, diversifying geographically and outsourcing internal functions. Banks need to be aware that these types of operational changes can subject your franchise to serious risks or regulatory exposure.
A recent study released by Ernst & Young noted that 73% of companies do not acquire information on subcontracting as part of their vendor-assessment process. Additionally, one-third of the companies that are notified about subcontracted services do not assess the subcontractor or the subcontracting process. This staggering statistic can easily be associated to the fact that conducting vendor risk assessments is a time consuming and expensive process. It is essential that banks weak on vendor risk assessment need to develop a standardized process – making sure they receive the answers in a timely manner.
Most banks follow the FDIC’s recommended vendor risk assessment and review critical/high risk vendors annually. This guidance encourages institutions to reassess vendors “whenever there is a change in the services they are providing,” a shift in the vendor company’s structure, a change in management or a data breach. Ultimately, the level of risk associated with the service will denote the frequency of the assessment.
Although most vendor contracts include provisions that they notify you of changes, it’s also imperative that you are able to identify changes that require additional assessment. Here are a few suggested steps you can take to monitor changes:
- Subscribe to a service that monitors geographic-based events. Companies that provide these services monitor for geopolitical, environmental/weather related incidents as well as incidents related to infrastructure failures;
- Monitor news services for business announcements concerning these vendors;
- Monitor changes in regulations that could impact your vendors or the services they provide;
- Monitor social media, Internet sites and discussion forums for comments related to your vendors or the services they provide.
Ultimately, it’s your responsibility to understand your vendors and their operational risks. Gaining an in-depth knowledge of your vendors requires some valuable time, but it can also help you avoid pitfalls that could damage both your operations and your reputation.
To read more about vendor risk management, visit www.bai.org.