Vendor program management

A vendor must be compliant with rules, laws, and regulations created and enforced by the regulatory bodies that affect your organization and the financial services industry, in addition to your credit union’s own internal policies. Failure to meet compliance obligations can result in enforcement actions, fines, litigation, and potentially impact your credit union’s reputation.

Whether it is the move to remote business operations, increase of digital footprint, or operations remaining online, cybersecurity risks remain a top concern in vendor relations. Cyber events, data breaches, ransomware and malware incidents are becoming increasingly more common and financial institutions, including credit unions, are not immune.

Cyberattacks that target vendors and suppliers’ security incidents can also result in direct events to your organization.

There may be several factors that can create a security risk with your third-party vendor, including poor security practices, compliance violations, application vulnerabilities, malware infections and data breaches.

Your vendor’s financial strength or ability to manage its debt could be a risk of negative impact to your credit union. This may create a ripple, impact your institution's ability to meet company goals or obligations and possibly damage your performance standards. Poor business decisions or inconsistent business practices or failure to meet stated strategic goals by your third-party vendor can result in financial impact and possible reputation risk to your credit union.

Your credit union may rely on its vendor to meet the terms and conditions of the agreement. Contracts are especially important to be reviewed by your credit union’s counsel prior to execution so that your organization understands the meaning and obligations set forth in each clause. Unfortunately, it is difficult to make changes to the agreement once the contract is signed and executed.

Another area of concern is with risk presented when contractual terms are not met. Problems happen but how a credit union works to resolve these issues is important to minimize the impact. Whether the issue is performance, delivery, or something else, having a process to document, review, and report these vendor issues is important to plan for these risks and work with your vendor to overcome any deficiencies and impacts to your credit union.

The image of your credit union could be damaged in the minds of the public from bad practices or actions of its third-party vendors. These risks may vary from poor customer service, failed delivery of products or services, deficiencies in quality, and security breaches, to name a few.

Your credit union not only owns the contractual relationship with its vendors, it also is responsible for the risk created by vendors.

Failure to have an organized process or program for vendor management can create or lead to operational issues, missed opportunities, and missed contract key dates (cancel, renewals) that can cost your credit union time, resources, and money.

Knowing where contracts are stored and having a strong tracking method for important contract dates can help with building an accurate third-party vendor list and renew or terminate relationships in a timely manner.

A fourth-party vendor is typically a third party to your vendor. Although the credit union may not have a direct relationship with the fourth party, your vendor has established a direct contractual relationship with that fourth party.

Managing fourth-party relationships may come with its challenges due in part because you do not have a direct contractual relationship with that vendor.

For example, it can be challenging to obtain access to due diligence documents that you need from fourth parties. If your vendors outsource or rely on other vendors to perform services or delivery of products in fulfillment of contractual obligations, it is important to understand which parties have access and how they protect your confidential information.

Your vendor’s third-party management program should help you understand what they do and how they monitor their third-party relationships. Every one of your vendor’s vendors, suppliers, subcontractors, or service providers poses a risk to your organization. As the network expands, the more difficult it may be to manage the risks in your vendor ecosystem.

It is important to identify and manage services and products provided by fourth parties; conduct proper due diligence on critical fourth parties as the same vendor may be a part of different third-party networks; assess the different risk areas that fourth parties bring to your ecosystem; and Review SOC2/SOC3 reports to understand the control effectiveness of your vendor systems.

The NCUA requires credit unions to evaluate, review, and manage third-party relationships. However, simply going through the motions of vendor review and selection is not an adequate process to provide the information you need for proper third-party risk management. Credit unions can reduce their vendor third-party risk profile through the adoption of strong risk management practices throughout the organization. Designing formal third-party risk management governance, staffing trained professionals committed to third-party risk, and developing a standardized process for vendor risk management are just a few ways to help manage third-party risk in your credit union.

Overall, you should have a tracking and reporting process that actively tracks all contracts and relationships, including start and end dates, renewals, problems or issues, and key terms, and provide reporting to key stakeholders (board of directors, officer champions, key departments, committees). It is important to provide adequate information on third-party relationships for key persons to review, especially if risks or challenges rise to a level outside of the risk tolerance zone.

A few critical questions can help you build a strong third-party risk management program:

• Who will be performing the reviews and reporting? Who is involved and what responsibilities and roles?
• When will due diligence be collected and reviewed? What documents and information will be reviewed?
• How significant or critical is this vendor to your credit union? What are the regulatory or other risks involved in his relationships?
• Is there an approved vendor selection process?
• How is ongoing monitoring and risk assessments organized or scheduled?
• Where or to whom will reporting go to? Are you required to report to the board of directors? (If so, how often?)
• How are problems/issues identified and documented? Is there a process for resolving?
• Does a natural end date or exit plan exist for a vendor relationship? What if the relationship is not going well?