Time Required: 12 hours
CPE Credits: 14 (based on industry-standard 50 minutes/1 cpe credit)
Availability: On demand from any location, web-based, self-paced eLearning course
Curriculum: 5 chapters, each with exams
Prerequisite: CRVPM® Level I
The Certified Regulatory Vendor Program Manager (CRVPM®) Level II expands upon existing concepts from the CRVPM® Level I course and introduces new concepts and content.
The course begins with setting up Lines of Defense, a classic risk management approach to structuring your vendor management program, and how to apply it the basic hub & spoke vendor management structure discussed in CRVPM® Level I. The course then goes on to addresses the five components of the vendor management lifecycle including:
- Outsource Planning
- Vendor Selection/Due Diligence
- Contract Management
- Periodic Review and Oversight
- Exit Strategy
In addition, it also introduces advanced concepts in vendor management and expands upon existing concepts covered in the CRVPM® Level 1 course so that the vendor management professional can continue to expand their vendor management knowledge and augment their program.
Chapter 1 – Lines of Defense and Outsource Planning: Setting up Lines of Defense is a risk management best practice that any size institution can implement in order to formalize responsibilities and enhance the checks and balances required to ensure that vendor management policy is complied with (Governance – 2nd line of defense) enterprise-wide. This chapter expands upon the hub & spoke vendor management model to provide a more detailed look at the vendor management structure, process and the responsibilities for each line of defense. Chapter 1 then dives into Outsource Planning and examines the 12 components of the Outsource Planning process.
Chapter 2: Due Diligence/Vendor Selection: CRVPM® Level 1 covered the basic concept and process of conducting due diligence to ensure that the vendor can support the institution operationally and financially (adequate financial strength). CRVPM® Level II examines some specifics of Due Diligence including:
- Vendor Fraud
- PCI DSS Compliance
- Conducting vendor site visits
- Vendor’s business resilience capabilities and Appendix
Chapter 3 – Contract Management: While Guidance provides recommendations on contract structuring, Technology Service Provider contracts frequently leave the institution exposed to a number of dimensions of risk that Guidance never warns you about. Attorneys and those skilled in contract review may help the institution mitigate risk when it comes time to dot the I’s and cross the T’s but if they are not well versed in technology issues then there are a number of exposures to be concerned about. This chapter covers the following exposures that anyone doing business with TSP’s should be concerned about:
- Cyber Security
Chapter 4 – Periodic Review and Ongoing Monitoring: While we know that we need to monitor our vendors on an ongoing basis and conduct periodic reviews in order to assess Controls, Condition and Performance, Chapter 4 discusses setting a baseline for that monitoring and review and the red flags/green flags to look for during the course of the relationship. Included in this chapter are:
- Key Performance Indicators (KPI’s)
- Key Risk Indicators (KRI’s)
- Vendor Value
Chapter 5 – Exit Strategy: Considered as the first step in outsourcing, it is crucial to have an exit strategy prior to even engaging a vendor. There inevitably comes a time when most institutions decide to transition an outsourced service away from their current vendor and either move it to a new vendor or bring it back in house. All too often, this exercise is conducted reactively rather than proactively and leaves the institution exposed to many risks, expenses and legal issues. This chapter covers the following 6 components of a vendor exit strategy:
- Risk Management
- Criticality/Ease of Replacement
- Contract Issues
- Knowledge Base
- Total Cost of Ownership
- Project Planning & Management
Chapter Exams: there are multiple exams throughout the course and a score of eighty percent (80%) must be achieved on each in order to attain the CRVPM® II designation.