How to avoid greater risk in your vendor management program
By Rob Foxx, CCBTO
Across sectors, vendor management has always been an area of high risk. Onboarding trusted vendors comes with many benefits that make the lives of many — including bankers — easier. Most companies utilize vendors to offboard workloads and transfer areas of risk to another entity. However, this often where the management of vendors end.
The process of vendor management usually begins with selection of the vendor. Then, it is critical — especially for essential vendors — to engage in risk assessment and due diligence including monitoring and reporting on a regular basis. Institutions should also review the vendor’s exit strategy during the onboarding process. While it is an aspect that is rarely considered, I encourage bankers to add this topic to the next vendor review.
Many managed service providers (MSP) are would never do wrong by their customers; however, this does not mean banks should trust nothing will go wrong and leave them to their work unquestioned. If a vendor is touching data or aspects of the institution’s environment, bankers need to ensure these actions are tracked and verified. This is especially important in situations where vendors are able to access resources without informing the bank, requiring authorization, or those who utilize subcontractors.
In the last decade, vendor transparency has become a rule, not an exception. Although many vendors are great at reporting, banks should understand their right and responsibility to understand either the data or the process to gather it.
Coming back to the final stage of the vendor management process — exit strategy. While it can be very difficult to change critical vendors, establishing a process early on will help the institution understand how they are able to get their data back, how long data is held by the vendor, how to properly cancel a contact, and how to ensure a smooth transition to a new service.
Due diligence, contract reviews, monitoring, reporting, and exit strategies are all important aspects of the vendor management process. Afterall, moving a service to a third party does not neutralize the risk — instead, the risk transfers to the vendor and the bank gains a new risk area in its external arrangement.
Foxx is director – infosec and IT audit services for FIPCO. He can be reached at rfoxx@fipco.com or 608-441-1249.
For more information about FIPCO forms, software, or other products, visit fipco.com, call 800-722-3498, or email fipcosales@fipco.com.
FIPCO is a WBA Gold Associate Member.