We're still seeing a large number of financial institutions, both large and small, struggling with appropriately sizing their vendor management program. And when I say sizing, I don’t mean a matter of sizing it correctly to their financial institution. I’m referring to sizing the vendor due diligence correctly to the risk associated with that vendor.
When a bank or credit union doesn't appropriately risk rate their vendors, or they don't appropriately assign due diligence based on that risk, they can run into several issues. Specifically, in situations where financial institutions are overdoing it. They ask for way too much documentation, or send a huge questionnaire to vendors that don’t pose enough risk to require it.
Any rational person would say, “Well, Chris, why is this a big deal? You're saying they're asking for too much? Isn't that better than nothing? How can you tell someone that they're asking for too much?”
In a perfect world of unlimited resources, I would say you’re right, we can afford to make that mistake. But in the real world, i.e. the one we live in, if you don't have enough time, capacity, or people to appropriately perform all of those due diligence tasks; they just won’t get done. And that's defeating the purpose.
Vendor management is time consuming enough as it is. A program that is either inappropriately risk rating vendors, inappropriately performing due diligence on low and moderate risk vendors, or one that is just altogether too complex can be a bottleneck. That ultimately leads to failure in providing oversight, as they’re intended to do.
The other result we tend to find when vendor management program is too complex is that the purchasing process will circumvent vendor management entirely. So by overdoing the vendor management program, we've actually gone backwards.
Technology is moving too fast, this industry is moving too fast, to have the vendor management program be the bottleneck. So, you have to design it in a sustainable way while still managing risk.
How do we do that? Well, we start by getting back to the basics. We start by simplifying the process. And you can always build it out from there if need be. But if your vendor management program is like what I'm describing above the only way to fix it is to tear it back down and simplify what you're doing.
Your business units will be much more confident that their requests for a new vendor won't take eight weeks to complete. They'll be more likely to ask for help. And that's what information security needs to be in any bank or credit union. They need to be viewed as help.
If you can do that, your information security program will be much more effective.
Since this is something we've seen time and time again, we developed our Simple Vendor Management Program to help bring institutions back to the basics.
If you want to download the Quick Reference Guide for that Vendor Management Program, you can get that by going here.