Referrals and Breach Notification Requirements
I've recently been asked whether a financial institution has Breach Notification responsibility in the case where the institution refers customers to vendors such as financial service providers where the institution merely vetted several vendors as a convenience for its customers, has no contract with the vendors, [...]
How Do Your Vendors Stack Up Against Each Other? – VM Thought for 2017
As many of you begin to expand your vendor management programs and elevate their maturity levels, tracking KPI's and KRI's becomes an area of focus. Some of you might even go so far as to track KCI's (Key Controls Indicators). However, in looking at Key Performance [...]
You’re Not Too Small for Multiple Lines of Defense
Classic risk management employs 3 lines of defense. But there's also a possible 4th line when it comes to regulatory issues, specifically vendor management. Please note that I have seen multiple titles that fit the roles below so don't get hung up on the titles. If [...]
No such thing as Vendor Risk!
Alright, so I'm going out on a limb to get some feedback and I hope that those of you reading this will do so. In our advanced Certified Regulatory Vendor Program Manager (CRVPM Level II) course, I note that there has been a great deal of [...]
Are your vendors delivering value beyond just meeting SLA’s? How are you measuring their value?
How do you measure your vendor's value? s vendor management programs mature, we need to understand the value a vendor delivers beyond meeting its Service Level Agreements. While we frequently outsource significant functions (critical and high risk) because a vendor can help us meet our strategic [...]
A Vendor’s Incident Response Plan is Only Half the Story!
When outsourcing services to vendors where sensitive/confidential data or critical services are involved, most of us request some combination of Business Continuity Plan, DR Plan, DR test results and Incident Response Plan. That's only half the battle. Of particular interest is the Incident Response Plan. The [...]