Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Compliance with NCUA Regulations: Vendor Contract and Performance Considerations

5 min read
Featured Image

Monitoring vendor performance is a regulatory requirement for credit unions. The National Credit Union Administration (NCUA) sets the standards for measuring and monitoring vendor performance – detailed in their 2007 supervisory letter SL No. 07-01 Evaluating Third-Party Relationships. Credit unions must be prepared to identify and address vendor performance issues per this guidance. They must also continuously ensure that "profitability, benefit and service delivery" are acceptable.

Vendor Contract Considerations


One of the best ways to ensure effective vendor performance monitoring is by establishing contractual service level agreements (SLAs) with the vendor. Let's explore specific contract considerations.

Credit unions are expected to consult with legal counsel when reviewing potential third-party arrangements and contracts. In particular, third-party contracts should include the following performance topics:

  • Standards: Contractual SLAs should address a vendor's performance standards and measures. Vendors generally offer standard SLAs but they can be a starting point for negotiation between your organizations. Remember that your SLAs should address must-have performance requirements. Examples might include system uptime, data accuracy, defects or error rate, cost savings, etc.
  • Reports: Vendor contracts should include details on performance reports and reporting frequency. Verify that the contract addresses who is responsible for providing performance reports and the required timing and data source. Remember that if your credit union depends on vendor data to evidence performance, there must be a way to periodically audit and validate the data.
  • Penalties: Credit unions should identify the penalties for failing to meet contractual SLAs. Ensure the contract details specific penalties and the maximum number of SLA failures allowed before contract termination.
  • Right to audit: Make sure you include a right to audit clause in the contract, allowing your organization to audit your vendor. This can be beneficial if you need to validate your vendor's performance data, processes, work product or reports.

NCUA Compliance Vendor Contract Performance Considerations

Monitoring Vendor Performance


Once contracts are finalized, the organization can monitor the vendor's performance. Credit unions must ensure they have sufficient infrastructure to monitor vendors effectively. This includes documented policies and procedures, skilled staff and identified methodology for tracking and reporting performance.

There are multiple considerations when monitoring vendor performance:

  • Service level agreements: Has the vendor met all contractual service agreements?
  • Consistency of service delivery: Has the vendor consistently provided products or services in line with contractual expectations and industry standards?
  • Issue management: Does the vendor rapidly address any known issues, providing documented remediation plans and timeframes? Do they meet the timeframes for resolution?
  • Timely communication: Does the vendor inform your organization of material changes in their staffing, management or strategy? Does the vendor proactively communicate issues or new or emerging risks?
  • Partnership and cooperation: Does the vendor promptly respond to your organization's requests? Does the vendor proactively suggest improving service delivery, reducing costs or making processes more efficient?
  • Value of the engagement: Is the benefit of the vendor product or service still worth the measured risks and cost? If not, has the cost/risk-to-benefit ratio changed enough to consider an exit?
  • Trends: By documenting and tracking negative performance over a period of time, the customer can identify trends that may trigger additional actions. For example, multiple negative performance reviews can provide leverage upon the next renewal for better terms, or the validation to consider terminating and replacing the vendor and their product or service.
  • Frequency of performance reviews: There’s no one-size-fits-all, but generally, the higher the inherent risk, the more frequent all monitoring activities should be conducted. One suggestion is quarterly performance reviews for critical and high-risk vendors, with less frequency for moderate and low-risk vendors.

Keep in mind that the value of the engagement may decrease through no fault of the vendor. In some instances, the need for a product or service may diminish or your organization's strategies may change. Even though the vendor is performing and meeting all expectations, the value of the relationship may still decrease.

NCUA Compliance Vendor Contract Performance Considerations

Managing Vendor Performance Issues

Every organization will inevitably encounter a vendor performance issue at some point. It’s important to remember that most performance issues may seem small initially. Still, when left unaddressed, they can grow into significant problems. The best course of action is to address all vendor performance issues right away.

To ensure effective issue management and resolution, credit unions should consider the following:

  • Consistency: A centralized process to create more consistency and an organized way to track and manage vendor performance including any issues.
  • Visibility: Regular reporting provides insight into the frequency, severity and status of vendor performance issues. Furthermore, reporting any performance issues of critical vendors to senior management and the board is a best practice. Regular reporting of vendor performance data can help determine if a vendor should be re-evaluated. It also provides insight into how specific vendors perform across categories, service types or risk levels.
  • Risk mitigation: Monitoring vendor performance can reveal other issues like the quality of the vendor's information security program. Often, vendor performance issues are red flags indicating new or emerging risks in the vendor's risk profile. For that reason, performance issues must never be left unaddressed. Likewise, new or emerging vendor risk issues can impact the vendor's performance, so integrating risk and performance monitoring is recommended. Credit unions should consider using risk monitoring and alert services to support their vendor risk and performance monitoring efforts.
  • Policy: Ensure that "performance monitoring" an activity is included in your TPRM policy in terms of what it will include at a high level, and who will be completing them (e.g. vendor owners). Like any other part of your TPRM program, ensure there are trained staff that can conduct the process and an ability to evidence that process is actually being executed.

Effective performance monitoring starts with the contract. Not only does the contract outline the expectations for both parties, but well-written SLAs also define the standards of must-have vendor performance. Credit unions should ensure that their vendor performance monitoring is not limited to a vendor meeting their SLAs but should also consider how the vendor identifies, communicates, addresses and resolves issues.

Vendor risk and performance are closely related and often interdependent. It’s essential to monitor both to comply with NCUA regulations and protect the credit union and its members against risk.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo