Vendor management basics
Let’s face it, every industry relies on third party technology and service providers to help power their business. This is nothing new and a widely accepted business practice. Vendors help deliver products and services that may or may not be the core of your business. In fact, we rely so heavily on some of our key vendors that our business could suffer without them. Think about that for a moment; your business could suffer or fail without them. Do you place too much trust or turn a blind eye that what you expect is being accomplished? Does your credit union have the proper controls in place to monitor your service providers? Are you monitoring the right things, do you have KPI’s and goals that are measured, do you receive and understand the reports that provide performance updates, are compliance requirements being met, do you conduct audits or risk assessments routinely, do you have direct access to systems and technology? If the answer to any of these is no, then my question is “why not?”
A few simple standards may help guide you to enhancing or developing a strong vendor management program. Ask yourself:
- Who is the best partner for what our credit union needs? It all starts with scoping and sizing.
- Did we properly vet the vendor and speak to references?
- Do we understand exactly what they will be doing for us and how they will be achieving the objective?
- Did we ask for business and executive reporting that align our goals and KPI’s? How often do we have to ask how we are doing?
- Do we have SLA’s defined in our Serve Agreement? What are the consequences to failure?
- Do we have defined outage and continuity standards? Who is accountable for business loss or failure?
- Do we have written procedures for activities that are performed by your service provider?
- Do we know where our member (PII) personally identifiable information is stored and how it is destroyed?
- Did we define what is considered PII? (email, IP address, alternate address, passcodes)
- Are compliance requirements being performed? Do we have a written Red Flags program and monitor our vendors for adherence?
- Do we have a written Identity Theft program, and do we monitor as required under FCRA? (Subpart J). The key word here is “written”
- Do we have written policies and procedures for Identity Theft detection and treatment? Are we monitoring our vendors for adherence?
- Are we involved in the training of third-party call center agents? Do we confirm training is conducted and completed successfully?
- If our vendor is only responsible for one covered account for our member, how do we ensure the relationship is receiving the appropriate updates and treatment if Account Take Over or Identity Theft occurs?
- Is our vendor using adequate risk-based authentication to verify the identity of our members? Have you defined for your vendor partner what is considered low, medium and high-risk activity?
- Do you benchmark your performance across Key Metrics against your peers?
- Is your vendor following your written Customer Identification Program requirements as required under detecting Red Flags provision of FCRA? Is your CIP program even written into policy?
- Are you providing annual reporting to the board on the effectiveness of your CIP program?
What we often see is “blind trust” and under some circumstances that may suffice. The items listed above are design to provoke risk-based thinking. They are merely examples of the common mistakes or risk that is considered acceptable by credit unions but not acceptable across many other industries. We all know that business has an acceptable amount of inherent risk, but are you being responsible and monitoring and measuring the risk impacts that may be already be present?
A robust vendor management program should possess the same standards that you would expect and deploy if the functional activity was being performed by you internally. Policies, procedures, reporting and training standards typically mirror or closely resemble what would be present if you were performing the activity yourself internally. Consider hiring an independent firm that can help you stand up your vendor management program, design the key objectives necessary to measure success and develop the appropriate documentation and management and executive reporting. Adopting a few simple best practices can go a long way in reducing unnecessary exposure to risk.