Skip to Main Content

Vendor program management

Vendor risk is an emerging area of significant focus, especially if that third party plays a critical role in the delivery of products or services to your financial organization or members.
Two men and a woman looking at business papers together

In today’s complex business environment, vendors play a key role in your success. However, relying on vendors can also introduce added risk, and managing these relationships and agreements is important. Regardless of your organization’s size, it is key for management to develop and maintain a thorough understanding of the relationship as well as the risk of each.

Common risks in third-party vendor relationships are:

  • Compliance/regulatory risk
  • Cybersecurity and information security risk
  • Reputation risk
  • Financial risk
  • Strategic risk
  • Contract/legal risk
  • Fourth-party risk

Having a process to manage these relationships that you have directly contracted with can help your organization in reducing the risks created by them. An effective vendor management program should follow a strong process of identifying all the vendors that aid in the delivery of services or products to your organization or members.

Of course, some vendors play more of significant role than others. When outsourcing services, the criticality of the service should be classified. It is important to have a process by which to manage, assess, and process of mitigation vendor risks identified along the way.

More vendor program management information

  • A vendor must be compliant with rules, laws, and regulations created and enforced by the regulatory bodies that affect your organization and the financial services industry, in addition to your credit union’s own internal policies. Failure to meet compliance obligations can result in enforcement actions, fines, litigation, and potentially impact your credit union’s reputation.

  • Whether it is the move to remote business operations, increase of digital footprint, or operations remaining online, cybersecurity risks remain a top concern in vendor relations. Cyber events, data breaches, ransomware and malware incidents are becoming increasingly more common and financial institutions, including credit unions, are not immune.

    Cyberattacks that target vendors and suppliers’ security incidents can also result in direct events to your organization.

    There may be several factors that can create a security risk with your third-party vendor, including poor security practices, compliance violations, application vulnerabilities, malware infections and data breaches.

  • Your vendor’s financial strength or ability to manage its debt could be a risk of negative impact to your credit union. This may create a ripple, impact your institution's ability to meet company goals or obligations and possibly damage your performance standards. Poor business decisions or inconsistent business practices or failure to meet stated strategic goals by your third-party vendor can result in financial impact and possible reputation risk to your credit union.

  • Failure to have an organized process or program for vendor management can create or lead to operational issues, missed opportunities, and missed contract key dates (cancel, renewals) that can cost your credit union time, resources, and money.

    Knowing where contracts are stored and having a strong tracking method for important contract dates can help with building an accurate third-party vendor list and renew or terminate relationships in a timely manner.

  • A fourth-party vendor is typically a third party to your vendor. Although the credit union may not have a direct relationship with the fourth party, your vendor has established a direct contractual relationship with that fourth party.

    Managing fourth-party relationships may come with its challenges due in part because you do not have a direct contractual relationship with that vendor.

    For example, it can be challenging to obtain access to due diligence documents that you need from fourth parties. If your vendors outsource or rely on other vendors to perform services or delivery of products in fulfillment of contractual obligations, it is important to understand which parties have access and how they protect your confidential information.

  • Your vendor’s third-party management program should help you understand what they do and how they monitor their third-party relationships. Every one of your vendor’s vendors, suppliers, subcontractors, or service providers poses a risk to your organization. As the network expands, the more difficult it may be to manage the risks in your vendor ecosystem.

    It is important to identify and manage services and products provided by fourth parties; conduct proper due diligence on critical fourth parties as the same vendor may be a part of different third-party networks; assess the different risk areas that fourth parties bring to your ecosystem; and Review SOC2/SOC3 reports to understand the control effectiveness of your vendor systems.

  • The NCUA requires credit unions to evaluate, review, and manage third-party relationships. However, simply going through the motions of vendor review and selection is not an adequate process to provide the information you need for proper third-party risk management. Credit unions can reduce their vendor third-party risk profile through the adoption of strong risk management practices throughout the organization. Designing formal third-party risk management governance, staffing trained professionals committed to third-party risk, and developing a standardized process for vendor risk management are just a few ways to help manage third-party risk in your credit union.

    Overall, you should have a tracking and reporting process that actively tracks all contracts and relationships, including start and end dates, renewals, problems or issues, and key terms, and provide reporting to key stakeholders (board of directors, officer champions, key departments, committees). It is important to provide adequate information on third-party relationships for key persons to review, especially if risks or challenges rise to a level outside of the risk tolerance zone.

    A few critical questions can help you build a strong third-party risk management program:

    • Who will be performing the reviews and reporting? Who is involved and what responsibilities and roles?
    • When will due diligence be collected and reviewed? What documents and information will be reviewed?
    • How significant or critical is this vendor to your credit union? What are the regulatory or other risks involved in his relationships?
    • Is there an approved vendor selection process?
    • How is ongoing monitoring and risk assessments organized or scheduled?
    • Where or to whom will reporting go to? Are you required to report to the board of directors? (If so, how often?)
    • How are problems/issues identified and documented? Is there a process for resolving?
    • Does a natural end date or exit plan exist for a vendor relationship? What if the relationship is not going well?

Ask a risk consultant

Please complete this brief form to route your question to one of our risk consultants.

Ask a risk consultant

Related resources

Access the Business Protection Resources Center* for exclusive risk and compliance resources to assist with your loss control efforts.

Vendor management risk overview*

Vendor contract risk overview & checklist*

On-Demand Webinar: Vendor Due Diligence Presentation | Recording

RISK Alert: Examining vendor management risks* (03/21/2022)