skip to navigation
skip to content

Financial Outsourcing Solutions

Person Using Technology

FOS Blog

12 Oct
2015

Vendor Management Risk Assessment

Vendor Management Risk Assessment

Vendor Risk Assessments
As with many areas within the banking world, in order to appropriately understand the nature of the given environment, assessing a variety of risks is essential. Risk rating vendors is also an important part of both the selection of new vendors and ongoing monitoring of existing vendors. A variety of risks related to legal and regulatory compliance, financial stability and access to confidential information need to be assessed. These three pillars form the foundation of assessing vendor risk.

Legal and Regulatory Compliance
Everyone in banking, especially community banking, knows that regulatory compliance is expansive in scope and expensive in price. The regulatory environment within banking is typically much stricter than that required by vendors, as vendors are typically not subject to such scrutiny. Depending on the type of vendor, the knowledge of compliance issues can vary. For example, a core banking application provider will have more knowledge surrounding regulatory issues than a technology service provider. This comparison is mostly driven due to the clientele of the two vendor types. The major core banking application providers deal primarily with banks and those that operate in a similar industry while technology service providers may deal with a variety of industries many of which are not under as much scrutiny from a regulatory standpoint. These technology service providers could potentially lead to an increased risk caused by lack of knowledge in the specific industry.

Financial Condition
Financial conditions are more comparable spanning different vendors. Those risks are more important to assess based on the size of the vendor and the Bank’s planned or ongoing relationship. Financial instability in a vendor could lead to an increased risk of that vendor not being able to provide the necessary services as spelled out within a preexisting agreement. It is important to evaluate the environment to which that vendor is in and ensure that the vendor itself is not enduring financial difficulties.

Access to Customer Information
Security of customer information should be a major concern for community banks as any threat of reputational damage caused by a breach could be severe. In the event of a breach of information caused by a vendor, customers will most likely not be knocking on that vendor’s door. Instead they will be knocking at the door of the bank. A vendor’s access to customer information should be among the highest concerns. Banks should not only assess the amount and type of information, but also the vendor’s methods for securing such data including, but not limited to, data storage and the responsibilities for ensuring the removal of such data in the event of relationship termination. Increased scrutiny should be placed on cloud based vendors.

These risks do not constitute the entire risk profile for each vendor; however, they do act as a starting point in determining criticality of vendor relationships. Banks should ensure that all risks are combined and weighted in order to determine appropriate risk ratings which will drive the review process. Those that are deemed critical should be reviewed on an annual basis while those deemed non-critical may be reviewed on a less frequent basis and/or the level of documentation reviewed for a non-critical vendor will be less.

For additional information contact the author Jeffrey J. Johns at jjohns@fosaudit.com.

|