We're still seeing a large number of financial institutions, both large and small, struggling with appropriately sizing their vendor management program. And when I say sizing, I don’t mean a matter of sizing it correctly to their financial institution. I’m referring to sizing the vendor due diligence correctly to the risk associated with that vendor.
When a bank or credit union doesn't appropriately risk rate their vendors, or they don't appropriately assign due diligence based on that risk, they can run into several issues. Specifically, in situations where financial institutions are overdoing it. They ask for way too much documentation, or send a huge questionnaire to vendors that don’t pose enough risk to require it.
Any rational person would say, “Well, Chris, why is this a big deal? You're saying they're asking for too much? Isn't that better than nothing? How can you tell someone that they're asking for too much?”
In a perfect world of unlimited resources, I would say you’re right, we can afford to make that mistake. But in the real world, i.e. the one we live in, if you don't have enough time, capacity, or people to appropriately perform all of those due diligence tasks; they just won’t get done. And that's defeating the purpose.
Vendor management is time consuming enough as it is. A program that is either inappropriately risk rating vendors, inappropriately performing due diligence on low and moderate risk vendors, or one that is just altogether too complex can be a bottleneck. That ultimately leads to failure in providing oversight, as they’re intended to do.
The other result we tend to find when vendor management program is too complex is that the purchasing process will circumvent vendor management entirely. So by overdoing the vendor management program, we've actually gone backwards.
Technology is moving too fast, this industry is moving too fast, to have the vendor management program be the bottleneck. So, you have to design it in a sustainable way while still managing risk.
How do we do that? Well, we start by getting back to the basics. We start by simplifying the process. And you can always build it out from there if need be. But if your vendor management program is like what I'm describing above the only way to fix it is to tear it back down and simplify what you're doing.
- Start with a Risk Assessment. It needs to be very simple. For banks and credit unions, the most important question is, “Does this vendor possess customer information?” The next question we need to ask is, “Are they critical to our day to day processes.” And the remainder basically fall into the category of someone posing additional risk like auditors and contractors with access, but not possession of information, etc.
- Set up appropriate due diligence to mitigate the risks of those vendors. If a vendor has confidential customer information, they should be able to produce evidence of appropriate controls to protect that information. I'm not talking about just a SOC2 and insurance. This is the full gamut. SOC2 or alternate questionnaire, disaster recovery plans, incident response plans, insurance, financials, etc. If they're critical to our day to day business, it’s not so much as can they protect the information that we've given them, but will they be there tomorrow? I want to know about their financial health. I want to know that they have insurance so that if something happens, it doesn't put them under. And the low risk vendors might just get an NDA to sign off on.
- Repeat. Finally, this should be a repeatable process. It should go the same way every time (with exceptions being properly reported). And when you get into that repeatable process, your information governance, your information security team, your vendor management team all get into a rhythm and you become more efficient and managing what needs to happen for a new vendor.
Your business units will be much more confident that their requests for a new vendor won't take eight weeks to complete. They'll be more likely to ask for help. And that's what information security needs to be in any bank or credit union. They need to be viewed as help.
If you can do that, your information security program will be much more effective.
Since this is something we've seen time and time again, we developed our Simple Vendor Management Program to help bring institutions back to the basics.
If you want to download the Quick Reference Guide for that Vendor Management Program, you can get that by going here.