Understanding the ERM-vendor management connection as NCUA eyes vendor management

With NCUA Chairman Todd Harper telling Congress that the NCUA is seeking to restore its oversight of third-party vendors, including fintechs, now is a good time for credit unions to make sure they are proactively considering the roles that enterprise risk management (ERM) and vendor management play at their institution.

Enterprise risk management is a broad umbrella that covers risks of all kinds. It creates value by managing risk holistically throughout the credit union.

The main focus of ERM is identifying, assessing, mitigating, measuring, monitoring, and communicating risk. This includes operational, transaction, compliance, third-party, credit, strategic, reputation, cyber, and concentration risk.

Vendor management (also known as Third-Party Risk Management) is one aspect of ERM. It’s the ongoing process of overseeing third-party vendor and fintech relationships to weigh, assess and limit the potential risks of these relationships and decide whether a relationship falls within the credit union’s risk tolerance.

How do ERM and vendor management work together?

When a credit union partners with a vendor, fintech, or consultant, it creates the potential for risk. From the perspective of regulators and the public, there is no difference between a credit union and a third-party it hires to provide a product or service. If that partner makes a mistake, it reflects poorly on the credit union—and can also financially damage the credit union.

These risks include:

• Compliance risk: Failure to follow federal or state regulations
• Cyber risk: Data breaches due to poor cyber controls
• Reputation risk: Mistakes that bring negative attention
• Operational risk: Failure to deliver products or services as promised
• Fourth-party risk: When the vendors’ vendors pose a risk
• Strategic risk: When the vendor (and the activity your institution is undertaking with that vendor) prevents your organization from achieving its goals.

Vendor management looks at these risks from the point of view of the vendor relationship from cradle to grave. It assesses a vendor’s cyber controls and disaster recovery plans—not those of your institution. It looks at how vendors keep up with and comply with regulatory change. It doesn’t take stock of your own compliance management system (CMS). It reviews consumer complaints about vendors, not your institution at large.

ERM takes the big picture view. It’s how a credit union implements controls, including policies and procedures, to ensure risk is managed throughout the institution—from strategic planning to daily operations. It touches every department and business line, covering areas ranging from business resiliency and operational risk to compliance and strategic risk (or the risk that the credit union won’t meet its strategic objectives).

ERM is a team sport that relies on vendor management. The data from vendor management helps the credit union understand its total risk exposure—from the impact on the credit union’s business continuity plans and its IT security and privacy to compliance and reputation risk.

Do you need an ERM solution if you have a vendor management solution?

Some credit unions think they don’t need an ERM solution if they already have a vendor management program—and vice versa—but that’s a mistake.

While both ERM and vendor management address risk, vendor management is dedicated to the vendor management lifecycle. This includes:

• Planning for a relationship: Understanding why outsourcing makes strategic sense and the potential risks, including critical vendors.
• Due diligence and third-party selection: Collecting and analyzing due diligence documentation from and about potential vendors to find a vendor that aligns with the credit union’s risk tolerance.
• Contract negotiation: Negotiating pricing and terms, including controls that will give your credit union the insights needed to successfully monitor and assess the relationship.
• Oversight and accountability: Assigning responsibility for the relationship to someone at the credit union and, if needed, getting board approval of the contract and reporting on vendor activities. 
• Ongoing monitoring: Reviewing due diligence documentation and engaging in cyber monitoring to ensure vendor controls remain effective.
• Termination: Ending the relationship. 

While vendor management includes elements of ERM (such as risk assessments, monitoring, and reporting), a vendor management program is more specialized. It includes functions such as:

• Contract management: Contract management is the process a financial institution uses to organize and oversee third-party vendor contracts and agreements. A good contract management system creates value by ensuring contracts are accessible, tracking key dates, and making it easy to identify important contract terms, including cost and performance expectations.
• Vendor risk assessments: Different vendors require different levels of due diligence depending on the access to sensitive data and potential for having a material impact on your institution. Vendor risk assessments help identify critical (or high risk or tier 1) vendors that require enhanced due diligence. Vendor risk assessments also help in identifying and evaluating concentrations.
• Vendor onboarding: Long before a new vendor joins the fold, there needs to be discussions about why outsourcing is needed and what a good vendor looks like. Vendor management requires a step-by-step process for vendor onboarding.
• Due diligence document collection and analyses: Vendor management requires collecting and reviewing vast amounts of due diligence documentation. A good vendor management program has the tools to ensure all the necessary documents are collected and can provide help analyzing pages of legalese to understand what they all mean.

Conclusion: Vendor management is one element of a good ERM program

ERM is not just about managing risk. It’s about applying the knowledge to make better strategic decisions and more effectively reach goals and objectives.

Vendor management provides insights that feed into a credit union’s overall ERM program by helping the institution identify, assess, manage, and mitigate the risk posed by third-party vendors, partners and fintechs. It’s one essential piece in the ERM puzzle.

As the NCUA takes a closer look at third-party vendor relationships, now is the time to start ensuring your credit union’s ERM and vendor management programs are strong.