Critical Vendors - What to Review
How to review critical vendors.
Learn three questions to ask yourself to determine if your vendors are critical. Then, we'll dive deeper and talk about what you should review on your critical risk vendors.
Welcome to this week’s Third Party Thursday! My name is Dana Bowers and I’m the CEO/Founder and Board Member here at Venminder.
In this video, we’re going to cover the key questions you need to ask yourself about your vendors to determine if they are critical.
First, it's important to separate this from your assessment of the regulatory areas of risk – what we're talking about today are critical vendors, from a business impact standpoint - these are the ones that would stop your business in its tracks if they were suddenly to disappear.
It's important that you define these very early on because you're going to want to handle them a bit differently than other vendors.
So, to determine if a vendor is critical, ask yourself these 3 questions:
- Would a sudden loss of this third party cause a material disruption to my institution?
- Would that sudden loss impact my customers?
- Would the time to recover be greater than one business day or 24 hours?
If the answer to any of these is "yes", then it's a critical vendor.
Let's talk about why critical vendors are so vital. Critical vendors involve significant financial institution activities, which means activities that they:
- Could cause a financial institution to face significant risk if they fail to meet expectations
- Could cause significant issues if errors were made
- Could have significant adverse customer impacts
- They require significant investment in resources to implement the vendor relationship and manage the risk.
Here is a pretty thorough list of the items you should be reviewing on your critical risk vendors:
- Financial Reports: you need to review and evaluate the financial health of the company as an ongoing concern.
- SOCs: you need to analyze the operating controls of a company and determine any gaps between the financial institution and the company.
- Audit Reports: you should ensure the appropriate management of all operating controls and regulatory guidance.
- Policies and Procedures / Scripting: you need to be certain the company has governing controls to comply with regulations.
- Any required licensing and insurance, such as PCI compliance or general liability insurance
- Review Background check and hiring procedures: Ensure the company does background checks on their employees.
- Information Security Policy: Ensure the company has one.
- Business Continuity Plan: Ensure the company has a fully tested plan.
- Network diagram: Ensure the company has thorough documentation.
- Penetration testing results and what they have done to mitigate any potential weaknesses.
- Disclosure of any material litigation: Ensure you know legal background.
Finally, and perhaps most important of all – you need a well thought out and thoroughly tested exit strategy to be sure you have a plan should something unexpected happen. You should even try to include this exit strategy in the contract between your institution and your critical vendors.
The business impact of a critical vendor is something you need to carefully evaluate and plan accordingly. It's important to your institution and to your customers.
Again, my name is Dana Bowers and thank you for watching! If you haven’t already, subscribe to the Third Party Thursday series.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.