Risk

Simple Things to Lower Your Vendor Management Program Risk Profile

I recently conducted a Vendor Management Program Audit and Risk Assessment as a part of our Advisory Services for a midsize financial institution. Performing both gives you a more complete picture of where the institution is at and helps document current state, desired state, gap analysis and create a prioritized road map for a healthier program. This particular [...]

2017-10-20T08:04:48+00:00 October 20th, 2017|3rd Party Risk, Audit, Compliance, Risk, Vendor Management|0 Comments

3rd Party Breaches – Are YOU Reaching Out to Your Customers/Members?

Okay, the Equifax breach wasn't your fault. Neither was the Home Depot breach, Target breach, etc., etc. Thus, the Data Breach Notification regs don't apply to you so you're clear of any responsibility. Or are you? I scoured a couple hundred bank and credit union websites this weekend and found that very few provided any information [...]

3rd Party Code of Conduct as a Contractual Condition for Termination

While most companies have Code of Conduct for staff, not as many require their 3rd parties to sign such a document. Even fewer include violation of that Code of Conduct as a condition for cancellation of contract. As we all know, being associated with a 3rd party that has received adverse attention in the media could [...]

2017-10-20T08:18:32+00:00 September 22nd, 2017|3rd Party Risk, Compliance, Governance, Risk, Vendor Management|0 Comments

SSAE 18: A Practical Analysis for 3rd Party Risk Management

I've read a ton of SSAE 18 analyses ranging from comic book style infographics with inadequate, lightweight, poorly explained content to others that are very detailed, well written analyses targeting auditors. I particularly like Ryan Buckner's concise, practical analysis in ACCOUNTING TODAY. In any case, I've had many requests from our Certified Regulatory Vendor Program Managers [...]

2017-03-16T12:42:05+00:00 March 10th, 2017|3rd Party Risk, Audit, Risk, Vendor Management|0 Comments

How Do Your Vendors Stack Up Against Each Other? – VM Thought for 2017

As many of you begin to expand your vendor management programs and elevate their maturity levels, tracking KPI's and KRI's becomes an area of focus. Some of you might even go so far as to track KCI's (Key Controls Indicators). However, in looking at Key Performance Indicators (KPI's) and whether your vendors are meeting their SLA's, [...]

2017-03-16T12:44:57+00:00 December 16th, 2016|3rd Party Risk, Risk, Vendor Management|0 Comments

You’re Not Too Small for Multiple Lines of Defense

Classic risk management employs 3 lines of defense. But there's also a possible 4th line when it comes to regulatory issues, specifically vendor management. Please note that I have seen multiple titles that fit the roles below so don't get hung up on the titles. If you're a smaller institution and you wear multiple hats, you [...]

Are your vendors delivering value beyond just meeting SLA’s? How are you measuring their value?

How do you measure your vendor's value?  s vendor management programs mature, we need to understand the value a vendor delivers beyond meeting its Service Level Agreements. While we frequently outsource significant functions (critical and high risk) because a vendor can help us meet our strategic goals, including doing something better/faster/cheaper, what else are we obtaining [...]

A Vendor’s Incident Response Plan is Only Half the Story!

When outsourcing services to vendors where sensitive/confidential data or critical services are involved, most of us request some combination of Business Continuity Plan, DR Plan, DR test results and Incident Response Plan. That's only half the battle. Of particular interest is the Incident Response Plan. The IRP is certainly something you'd want to review but all [...]

Critical Vendor or Critical FUNCTION?

You have HOW MANY critical vendors?!?!?!?!? I always find the perception of CRITICAL VENDOR to be very interesting. As Certified Regulatory Vendor Program Managers (CRVPM) know, when reviewing vendor management programs we typically see way too many vendors listed as critical, usually for a couple of reasons; 1) either the business unit thinks that their vendors [...]

2017-03-16T12:55:25+00:00 March 24th, 2016|3rd Party Risk, Audit, ERM, GRC, Risk, Vendor Management|0 Comments