6. Legal risk. GLBA, for example, proscribes clear protections of customer data. Whenever customer data is shared with a third party, adequate security and protection procedures on the part of the vendor must be validated.
What Vendor Relationships Are Subject to Oversight?
Although other types of third-party relationships might be implicated, research suggests two primary sets of vendors that are subject to regulatory oversight. Benchmarking conducted with leading institutions has shown that a substantial number between 50 and 400 of vendor relationships fall under the following categories:
Suppliers providing technology in support of core business processes
When you stop and consider it, your "information technology supply chain" meaning the aggregate of software, hardware, telecommunications services, consulting and other services vendors is the basis for most of your business-critical processes. Therefore, these vendors' performance is inseparable from your ability to run the business.
Suppliers performing functions on your behalf, such as outsourced business processes
Outsourced processing, such as automated clearing house (ACH), call centers, bill presentment, and back-office clearing, amount to reliance on these vendors to perform business-critical functions. The growing trend toward outsourcing more business processes with a larger number of niche suppliers means greater vigilance is appropriate.
Key Principles of Vendor Management
Regulators will put the burden of proof on member institutions. It's not enough to have the right processes in place to manage your vendors. You have to prove it.
Many supplier interactions are undocumented or contained in disparate systems. It's hard to gather the basic data in support of an audit. Combine this with the numerous stakeholders involved and you encounter a situation where preparing for an audit is a huge undertaking.
Another basis of accountability to regulators is the consistent application of the vendor management process. Lapses in applying the processes will be examined by regulators and flagged for corrective action.
What's especially challenging is the cross-departmental nature of supplier interaction. Consider how the stakeholders in legal, audit, procurement, line-of-business, risk and corporate finance all come together to collaborate on a common, defined process.
Linking Due Diligence with Ongoing Assessment & Audits
The continuum between vendor selection and vendor relationship management is important. Those risk factors that you consider during due diligence become the risk factors by which you must measure the vendor over the life of a contract. As the situation changes, risk scoring should be compared to a baseline that was established up front, before a vendor was even selected. In this way, periodic risk audits will provide the early detection that ensures corrective action is taken.
Potential Points of Failure
Institutions have documented their vendor management policies and gained the blessing of regulators. However, there is a false sense of security in letting the process end with a written document.
As you consider whether automation and strong process accountability is right for your company, evaluate the following risks to compliance:
* Lack of continuity between due diligence and ongoing oversight
* Assuming a paper-based policy will be followed
* Not considering the challenges of decentralized stakeholders
Automation to Ensure Compliance and Create Organizational Value
In order to mitigate risks associated with vendor selection and management, FSP's should consider automating the vendor selection and management processes. An enterprise system ensures: