Vendor Management What you Need to Know
Author: Randy Marsicano
Earlier this year, we hosted a best practices webinar on third-party vendor management. In my many visits and interactions with clients, prospects, competitors, and industry pundits, I hear things that get me thinking – in this particular case it had to with some of the common myths related to vendor management.
Now, when it comes to vendor management, the regulations are very clear in what is expected – at a high level. The devil is in the details though. And at times, it is these very details that overwhelm and sometimes trip us over. Here are five common myths related to vendor management.
1. You cannot start vendor monitoring until risk assessments are completed
When it comes to vendor monitoring, there is no regulation that states you have to complete a risk assessment before you can start monitoring. Yes risk assessment is important and a necessary step in the vendor management process.
You already must know your critical vendors. You already know what tasks and documents need to be monitored on a regular basis at least for the high risk vendors. You may start monitoring these vendors before you complete your risk assessment. Then, once you have completed the risk assessment, you can go back and adjust the monitoring tasks based on the risk assessment results. This will get you started with monitoring sooner than later, with the flexibility to adjust down the road.
2. All third-party relationships need to be monitored
In terms of vendor relationship management, not all third-party relations need to be monitored. Some simple tips on vendor management in general might be in order here.
All vendors must be listed in a central place somewhere – so you have a complete list of all your third-party relationships.
Vendor management best practices suggest implementing a strong contract management process in place for your vendors. At a minimum, you should have a contract management process in place for vendors with auto-renewal clause in the contract. This will help prevent costly contracts from auto-renewing before an internal review.
Monitor the high and moderate risk vendors and use the guidance as well as the risk assessment results to determine which vendors make this prestigious list for your institution. The monitoring tasks for each vendor will vary depending on the relevance of the vendor to your operations.
3. All third-party relationships are to be monitored every year
Not all vendors are to be monitored every year. Your risk assessment tool should provide guidance on the frequency of monitoring, and the recommended tasks to monitor for the vendors based on the inherent risk ratings. Base your monitoring frequency on this. It will save you a bundle in time, at least.
4. All third-party relationships are to be risk assessed and monitored for all tasks
While it is true that I said you need to list all vendors in a central place, it is not necessary to risk assess and monitor all of these vendors. The guidance is clear when it asks you to run your vendor relationship through the following lens. Based on your responses to these qualifying (or selection) questions and the vendors’ impact to your operations, you identify those vendors that you will be risk assessing and monitoring. Again, depending on the inherent risk of a particular vendor, you will have a different frequency model for ongoing risk assessment and monitoring.
a.New vendor relationship or activities
b.Material financial effect on the organization
c. Performs critical functions
d. Stores accesses, transmits sensitive, customer information
e. Markets financial products or services
f. Performs subprime lending or card payment transactions
g. Increases risk to earnings or capital
5. Cleaners and contractors are GLBA vendors because they have access to the building
It depends. Just because a vendor has access to the building does not automatically mean they have access to client and employee confidential information. And therefore it does not automatically translate to them being Gramm-Leach-Bliley Act (GLBA) classified requiring detailed monitoring.
What is more relevant with this specific example, is what other policies, procedures, and controls do you have in your vendor management strategy, to prevent a cleaner from having access to confidential information? Do you have a clean desk policy? How is it enforced? Do you have periodic employee training on handling confidential data and disposal and destruction of confidential information (paper and electronic)? And yet, in some instances, for some of you, your cleaner may qualify as a GLBA vendor!