I recently conducted a Vendor Management Program Audit and Risk Assessment as a part of our Advisory Services for a midsize financial institution. Performing both gives you a more complete picture of where the institution is at and helps document current state, desired state, gap analysis and create a prioritized road map for a healthier program. This particular institution had buy-in from the top, the business unit leaders understood the importance of the program and communicated it down the chain to their staff and wanted to do the right thing. They use an automated vendor management solution and have several staff to manage it. The vendor management program was not perceived as a roadblock and bottleneck to conducting business as it is at many institutions. No, this institution understood the risks of NOT doing the right thing and also understood the business value of a sound program. Sounds perfect, no? Turns out that they had numerous findings and a high risk profile. Most of their issues can be easily remediated and their risk profile will go from high to low by following the roadmap we provided. Here are just a few of the findings that resulted in their program being high risk:
- While the business unit leaders were knowledgeable, Vendor Due Diligence and Periodic Review requirements were not documented and the type collected was inconsistent and based upon the knowledge of the individual business owner rather than the type of service being provided (vendor categorization/stratification).
- A review of contracts with critical vendors revealed that numerous contracts did not include the right to audit. Most contracts were reviewed by the business unit leaders and while they were knowledgeable of business requirements, the importance of Right To Audit was lost even though their VM policy included it and other key elements that should be included in a contract. Omitting Right to Audit is a huge mistake.
- The most recent SOC reports, BCP’s and DR Test Results collected were 2 years old, and some even older. Current documentation is a MUST!
- DR Test Results were collected but never reviewed. The audit of those documents for critical vendors showed some with DR Test Failures and no retesting nor plan for remediation. Collecting the documents was a checklist exercise without an action plan.
- SOC reports showed the Complementary User Entity Controls (Client Considerations) but nobody at the institution was aware of them and they were never audited. This can be a big issue if the “system” fails and could leave the institution without recourse. Again, collecting the documents was just a checklist exercise without an action plan.
- The 3rd Party Risk Management Supply Chain (4th parties, 5th parties, etc.) for critical vendors was unknown. This topic is a huge area of regulatory focus. Who are the sub-service providers that are engaged to provide a material function of the service?
- Formal Outsource Planning did not take place. Request the Outsource Planning Worksheet that we send to all of our Certified Regulatory Vendor Program Managers (CRVPM‘s).
- Exit Strategy was reactive. The institution had to scramble when a vendor relationship began to fall apart because there was no thought given to exiting prior to engaging a vendor. Exit Strategy should be a key component of Outsource Planning.
As mentioned earlier, the issues shown above and the others that we identified are easily addressable so that the risk profile is lowered. Thus, 1) be sure to Categorize your vendors and ask the proper questions based upon service provided, 2) be sure that CURRENT documentation is collected AND REVIEWED, 3) Engage Legal Council to review contracts, 4) Review the CUE controls in the SOC reports to see what you’re on the hook for and be sure that they are in place, 5) Know who the significant sub-service providers are (4th party, 5th party, etc.) and be sure to contractually require your vendor to identify them as well as explain their own vendor management program to you, 6) Formalize your Outsource Planning Process and Exit Strategy!