Earlier this year, we hosted a best practices webinar on third party management or vendor management. In my many visits and interactions with clients, prospects, competitors, and industry pundits, I hear things that get me thinking – in this particular case it had to with some of the common myths related to vendor management.
Now when it comes to vendor management, the regulations are very clear in what is expected – at a high level. The devil is in the details though. And at times, it is these very details that overwhelm and sometimes trip us over. Here are five common myths related to vendor management.
1. Cannot start vendor monitoring until risk assessments are completed
When it comes to vendor monitoring, there is no regulation that states you have to complete a risk assessment before you can start monitoring. Yes risk assessment is important and a necessary step in vendor management. You already must know your critical vendors. You already know what tasks and documents need to be monitored on a regular basis at least for the high risk vendors. You may start monitoring these vendors before you complete your risk assessment. Then, once you have completed the risk assessment you can go back and adjust the monitoring tasks based on the risk assessment results. This will get you started with monitoring sooner than later, with the flexibility to adjust down the road.
2. All third party relationships need to be monitored
Not all third party relations need to be monitored. Some simple tips on vendor management in general might be in order here.
All vendors must be listed in a central place somewhere – so you have a complete list of all your third party relationships.
It is best practice to have a strong contract management process in place for your vendors. At a minimum you should have contract management process in place for vendors with auto-renewal clause in the contract. This will help prevent costly contracts from auto-renewing before an internal review.
Monitor the high and moderate risk vendors and use the guidance as well as the risk assessment results to determine which vendors make this prestigious list for your institution. The monitoring tasks for each vendor will vary depending on the relevance of the vendor to your operations.
3. All third party relationship are to be monitored every year
Not all vendors are to be monitored every year. Your risk assessment tool should provide guidance on the frequency of monitoring, and the recommended tasks to monitor for the vendors based on the inherent risk ratings. Base your monitoring frequency on this. It will save you a bundle in time, at least.
4. All third party relationships are to be risk assessed and monitored for all tasks
While it is true that I said you need to list all vendors in a central place, it is not necessary to risk assess and monitor all of these vendors. The guidance is clear when it asks you to run your vendor relationship through the following lens. Based on your responses to these qualifying (or selection) questions and the vendors’ impact to your operations, you identify those vendors that you will be risk assessing and monitoring. Again, depending on the inherent risk of a particular vendor, you will have a different frequency model for ongoing risk assessment and monitoring.
a. New vendor relationship or activities
b. Material financial effect on the organization
c. Performs critical functions
d. Stores accesses, transmits sensitive, customer information
e. Markets financial products or services
f. Performs subprime lending or card payment transactions
g. Increases risk to earnings or capital
5. Cleaners and contractors are GLBA vendors because they have access to the building
It depends. Just because a vendor has access to the building does not automatically mean they have access to client and employee confidential information. And therefore it does not automatically translate to them being GLBA classified requiring detailed monitoring. What is more relevant with this specific example, is what other policies, procedures, and controls do you have in place, to say, prevent a cleaner from having access to confidential information? Do you have a clean desk policy? How is it enforced? Do you have periodic employee training on handling confidential data and disposal and destruction of confidential information (paper and electronic)? And yet, in some instances, for some of you, your cleaner may qualify as a GLBA vendor!
Still confused with some of the complexities or nuances of the regulation as it applies to vendor management? Contact us and one of our risk management experts will answer any questions you might have.
Registration is open now for the 8th annual WolfPAC User Conference, where you can get first hand insights into Vendor Management tips and best practices from our team and your peers. The theme is “Your Guide to the Risk Management Universe”, and it’s going to be stellar! Don’t miss out on your opportunity to connect, communicate, and collaborate with WolfPAC users and leading industry experts. Register for one of the following dates and locations: