Building and maintaining a strong third party management program can be difficult. Your organization can have anywhere from dozens to (more likely) hundreds of vendors that need to be assessed, managed, and monitored to some degree. Also, as vendor relationships change, the information you have and the way you monitor them must also change.
With this many moving parts, it shouldn’t be surprising that this is one of the hardest aspects of Enterprise Risk Management to keep up to date and compliant. How can you protect your organization from vendor risks with so much to manage?
Risk Based Vendor Management Is Key
You will not be able, nor is it wise, to monitor all vendors in the same way. It is important to determine the level of risk each vendor will pose to your organization individually, and then use this information to implement ongoing monitoring that suits its criticality.
For instance, if you have a vendor within your organization that stores, accesses, transmits, or performs transactions on sensitive customer information, they will likely be considered a high risk vendor. The potential losses from a data breach can be extensive, so you need to protect your organization by implementing strong controls to ensure your data is safe when working with this third party provider.
If, however, you have another vendor who only has possible incidental access to customer information, the risk to your organization and clients is much lower. This means you do not need to spend as much time, money, or resources setting up strong controls like you would with the high risk vendor. The cost of implementing a robust monitoring program for them would far outweigh the benefit your organization would receive.
How Do You Determine Whether a Vendor is High Risk?
Performing a Vendor Risk Assessment is the best way to determine what inherent risk a third party provider poses to your organization. During the risk assessment, you will be looking to see if any of the following information is true, which could cause a provider to be considered a critical risk:
- They perform a new function or activity
- They could have a material effect on the institution’s revenues or expenses
- They perform functions critical to your organization’s operations
- They store, access, transmit, or otherwise interact with sensitive customer information
- They market bank products or services
- They could significantly affect your organization’s earnings or capital
Managing your organization’s vendors is a critical component of your overall risk management program, so it’s important you are utilizing your resources and time as efficiently as possible. Determining whether a vendor is a high, medium, or low risk vendor can help to focus your resources on the providers that have the most potential impact on your organization, so you can be sure you and your team are spending time where it’s most important.
Do you have more questions about ways to strengthen your vendor management program? Read our article, Frequently Asked Vendor Monitoring Questions to get information about contract reviews, SOC reports, and anything else you might need to know.