Credit unions rely on third-party providers to offer specialized services and technology assistance to keep their operations running smoothly and help improve the overall quality and efficiency of their organizations. Vendor management has always been an important issue for credit unions, but with increased scrutiny from the NCUA, they now run greater risk of getting fined for not adequately managing their third-party vendors. In response, many credit unions are looking for ways to more effectively manage their roster of outsourced vendors while protecting themselves from the associated compliance risk.
Here are six steps to more efficiently monitor and manage third-party providers, ultimately strengthening a vendor management program:
- Perform Thorough Due Diligence
The due diligence process ensures that a credit union has a consistent and reasonable approach to vetting its vendor relationships — especially if the vendor is providing a core business function or has access to personal confidential information. It’s not enough to perform due diligence during the initial vetting stage. Conducting diligence throughout the relationship, especially with mission-critical vendors, is essential to avoid being blindsided. Properly vetting and managing vendors will reduce risk for the credit union, while also ensuring all FFIEC and NCUA regulations and requirements are met.
- Develop Consistent Risk Assessment
To properly assess risk exposure for vendors/services, establish consistent criteria to appropriately weigh the risk each poses to the credit union. This will help you grade or designate a level of criticality and risk for each service and each vendor. For example, will a vendor have access to private member data? Will it operate with our core system? The criticality will have a significant impact on the review process, as a more critical service or vendor will ultimately require more due diligence to be performed.
- Incorporate Vendor Management into the Business Continuity Plan
If a credit union does not thoroughly analyze its vendors as part of the business continuity planning (BCP) process, it opens itself up to the risk of extended downtime. It is crucial for credit unions to know exactly how they are going to recover if their vendor goes down. Business Continuity/Disaster Recovery capabilities should be reviewed to determine if they align with the credit union’s Recovery Time Objectives. Regulators expect and mandate that credit unions have alternative procedures and processes in place in the event of disruption of service from a mission-critical provider.
- Board of Director Involvement
The responsibility for properly overseeing outsourced relationships and the risks associated with that activity ultimately lies with the credit union’s Board of Directors and its senior management. It is typically the Information Security Officer (ISO), or sometimes the CIO or CTO, who is responsible for communicating with the Board and helping manage the process. In order to effectively communicate the need for comprehensive vendor management to the board, the ISO must first thoroughly understand exactly what examiners are looking for. NCUA’s Supervisory Letter 07-01 is designed to help credit unions better understand and manage the risks associated with outsourcing. This should not be a one-way line of communication. Board members are expected to understand the process and risks clearly enough to provide a credible challenge to the ISO when appropriate.
- Monitor and Control the Vendor Relationship
Proper Vendor Management is cyclical. Staying abreast of important key dates, contract changes and upcoming vendor reviews and contract renewals is a key step in a vendor management program. Not doing so can end up costing you significantly, not to mention the added burden of inefficiencies if the process is not handled well.
- Implement an Automated Vendor Management Solution
Many credit unions are looking for ways to more effectively manage their outsourced vendors, protect themselves from the risk, and maintain FFIEC compliance. Oftentimes, credit unions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. Moreover, an automated solution helps hold vendor managers accountable to a process that often gets “put on the backburner.” A complete vendor management system also ensures your Board of Directors and management are notified of all of the critical activities and actions required to effectively monitor a third-party relationship, ensuring all risk assessments, controls reviews and documentation are up-to-date.
Leveraging the skills and experience of third-party service providers can help credit unions better meet their members’ needs while accomplishing their strategic goals. Those that implement a solid vendor management program — and actively manage those relationships — will have the greatest level of success.