Strategic Vendor Risk Management

Many credit unions and other financial institutions act tactically when it comes to assessing and monitoring how third parties manage risk. As an example, our organization was recently asked to provide an official response describing how it dealt with the Shellshock vulnerability. Frankly, querying a vendor on a single specific threat (in a universe of thousands) isn’t the right approach.

The right approach is much more strategic: Implement a vendor classification system, assess where each of your vendors falls within that spectrum and develop strategies for the vendors with the highest risk.

Strategic vendor risk management evaluate, track and measure third-party risk to assess its impact on a business. They include controls or other forms of mitigation to lessen the impact if something happens. It is important that a VRM program reflects and enforces an organization’s internal controls framework, ensures compliance with government or industry regulations, and achieves consistency with all vendors.

Here’s the “Ultimate Checklist for a Robust VRM Program”:

Identify Potential Vendor Risks

Many companies assume they have to deeply assess every partner. But in reality, some vendors require increased scrutiny due to the strategic role they play in a company’s ability to generate revenue. Others may provide a minor service, but have the potential to expose confidential information. Therefore, an organization should categorize and prioritize vendors, and focus assessments on the risks germane to the services they provide.

Develop Strategies for Higher Risk Vendors

When a vendor is identified as presenting substantial risk, strategies need to be identified to keep the vendor’s issues from causing your CU harm. To do so, consider the following:

• Make risk mitigation part of the negotiation and the contract’s service-level agreement.
• Work closely with the vendor to identify and resolve issues to mitigate risk.
• Gather outside information about the vendor to assess financial health.
• Measure the vendor’s performance over time.
• Have a plan if a vendor exceeds the risk threshold.
• Develop contingency plans to ensure business continuity should one of your vendors go out of business.

Align Vendor Control Environments With Internal Frameworks

Many organizations have a control environment to mitigate internal risks. Work with vendors to assess the effectiveness of their controls for the risks identified. Perform a gap analysis of the organization’s controls vs. the vendor’s, and work together to close any gap that’s identified. Needs should be aligned with industry standards and guidelines.

Implement Ongoing Metrics

Once vendor risks have been identified, measure performance against those risks. When developing measurements, identify the business value to be gained with the function or capability being measured, and define objective criteria that can be used to assess the value. Measures to consider include:

• performance and SLA expectations;
• disruption in workflow based on vendor performance;
• breach of the vendor network, systems or facilities;
• results of internal security (physical or systems) controls testing; and
• vendor (non) compliance with laws, rules, regulations, policies and procedures.

How Do We Get There From Here?

The key to effective risk management is ongoing monitoring – to ensure the controls that were in place when the relationship began remain in place over time, and change as necessary to manage new risks. This level of risk mitigation requires a repeatable program that includes periodic inspection. “You don’t get what you expect, you get what you inspect,” as the saying goes.

At a minimum, inspection begins by identifying all third- and fourth-party providers servicing your organization. You need to understand the type of information and services being outsourced, and what controls are in place to protect the institution’s interests.

The idea is to gain an understanding of the total risk across both third and fourth parties and what contingency plans are in place should an event occur. It makes sense to be proactive in this effort because CUs will increasingly be under pressure from regulators and their own boards to prove a program is in place for managing both third- and fourth-party providers.

Such a program involves assessments that take a sampling of the controls that should be in place and asks vendors questions to ensure they are indeed in place and functioning as intended. Notably, as credit unions and other financial institutions continue to outsource more and more functions to cloud providers and others, the inspection process can become unwieldy.

Some organizations will want to automate the process of conducting assessments and analyzing results. Some key benefits of an automated third-party system include making the process easier and more objective, helping to ensure that third- and fourth-party audits don’t fall through the cracks—and, in turn, that your CU is ready for the regulators.

Sean Cronin is responsible for leading all aspects of ProcessUnity’s risk management line of business, including strategy, marketing, sales, client services, and strategic partnerships. He brings over 12 years of governance, risk and compliance experience to the company.