Vendor risk management, or vendor management as it’s commonly called, or more accurately, third party risk management in recent years, is the process of fully identifying all of the significant companies that aid in the delivery of a product or service to your organization or to your customers on behalf of the organization. It involves controlling costs, driving service excellence and mitigating risk to gain increased value throughout the deal lifecycle.

1. Create a vendor risk management policy, program and procedures. The policy is a 5-6 page document that broadly outlines the concepts and the structure. This should be reviewed and approved by senior management and the board annually. The program describes in detail the concepts laid out in the policy. The procedures are very detailed and outline the steps you need in order to do every facet of the job. 
2. Identify Vendors:  It’s important that you throw a wide net and look at every company involved in servicing your organization. That sounds easy, but it’s a multi-step process:
   1. What is written in the scope of your program?
   2. Who does Accounts Payable say you’ve paid for a product or service?
   3. Which ones need to be actively managed
3. Confirm the list is accurate: Check with your risk committee and senior leadership to be sure you haven’t missed any and to be sure that there aren’t ones they’re actively terminating. Once you’ve been through this process once or twice, it’s a whole lot easier. 
4. Check the list against your prior list and your program scope. Adjust the actively managed vendor list as needed and be absolutely certain to note the reason for any exclusions (e.g., spend threshold, one-time use, special limited designation by board, etc.).
5. Initial due diligence to assemble the facts. Due diligence must be risk-based and address specifically the type of product or service being outsourced. Generally, the riskier the vendor, the deeper the due diligence.
6. Go through a thorough risk assessment process. Every actively managed vendor requires some level of review – overlooking one may mean overlooking a real risk. 
7. Contract negotiation and management. Be certain you have adequate tracking of your contracts, renewal dates and key terms. 
8. Ongoing due diligence. Your due diligence should continue throughout the vendor
   relationship and have a formal process, a timing that dictates a beginning and end and a schedule for updating based on risk (or contract renewal in some cases). Make sure to be thorough and not just go through the motions but analyze the documents. 
9. Concentrate first on your critical and / or high risk third parties. Prioritize according to the level of risk – that’s what risk based is all about – and make sure you have identified steps to help control those risks in an effort to lower the exposure for your organization.
10. Don't forget fourth parties. As you mature your process, you’re going to need to dig a level deeper and look as well at subservice providers or ones that represent different levels of risk to your subsidiaries. We also call these fourth parties. 
11. Termination. Develop a plan for terminating vendor relationships. It should include notice periods, transition and exit strategies and the return of assets. 
12. Report to your senior management and board. Be certain you have adequate reporting for them to review.

A third party is a company or entity with whom you have a written agreement to provide a product or service on behalf of your organization to your customer or upon whom you rely for a product or service to maintain daily operations. This is your vendor, or also known as your third party vendor. 

A fourth party is your third party vendor’s vendor. It’s one with whom you don’t have a direct contractual relationship.

A vendor risk assessment assists with analyzing new and ongoing vendor relationships in order to gauge the level of risk posed to the organization. A risk assessment evaluates all of the considerations of outsourcing a particular product or service. In essence, your organization is giving up direct control over that product or service and relying on others, so you must understand the risks associated with that decision.

Three reasons include:

• Performing due diligence protects your organization from unnecessary risk
• It's a regulatory expectation and overall sound business practice
• It provides a baseline or standard of minimum requirements needed in order to onboard a new vendor

Two Fundamental Divisions of Risk

First, let's discuss what risk means. There are two divisions of risk:

1. Business Impact Risk – This risk is identified as business reliance. 
   

2. Regulatory Risk – This type of risk is based on the guidance in place which outlines the categories of risk you should consider. For example, OCC Bulletin 2013-29 and Bulletin 2017-7. Due to the guidance, you must formalize questionnaires to assess the level of risk each vendor poses to you.

Rolled up into regulatory risk are numerous categories clearly called out in the guidance (e.g., FDIC FIL 44-2008 and OCC Bulletin 2013-29), including items such as:

• Operational Risk
• Compliance Risk
• Reputation Risk
• Strategic Risk
• Credit Risk

After considering these areas and asking your vendor a set of questions, you will deem whether your vendor is low, medium or high risk. 

3 Questions to Deem Critical vs Non Critical

In addition to level of risk, you also need to determine if a vendor is critical or non critical. That means how important the vendor is to the business for daily function. A way to figure that out is to ask three particular questions. Those are:

1. Would the sudden loss of this third party cause a significant disruption to our business?
2. Would the sudden loss impact our customers/members?
3. Would the time to restore service without this third party be greater than a business day?

If the answer to any of these is "Yes," they are a critical third party. If not, they are not considered a critical third party.

A SOC (System and Organization Controls) report is an independent audit report performed by a certified public accountant (CPA). The report attests to the existence, and for audits over a period of time (Type II), the operating effectiveness of controls specified by the company being audited (your vendor, the service entity).

Basically, the report should tell you if your vendor has a good base of controls in place to safeguard your data, and for Type II reports, whether those safeguards are actually working, based on the scope of the audit determined by the vendor.

Here's some ideas of what to do next:

1. Let’s start with the easiest – if they won’t provide it, document the effort and determine if it’s acceptable.

3. If it’s post-contract, you may have a much more difficult decision. Your best protection at that point may even be to have a call (and document the discussion) with them to see what they can offer as an alternative and what the sticking point is.

4. Get creative – perhaps see if you can have video calls where they would show their financials or business continuity plans but could not record it in any way.

5. Meet the third party to have a meeting to discuss the items they won’t release.

You can’t always get what you want, but you should always ask and document the efforts.

The policy is simply the document that asserts how your company will manage its third parties and the risk associated with outsourcing certain activities. The policy is the foundational document for all third party activities.

The program should build upon each of the key concepts laid out in the policy document and get into more of the “how” and not just the “why”.

A program document is like the owner’s manual for your vehicle. It’s designed to let you get your hands dirty in working on third party risk activities, but not expecting you to be a mechanic (that’s where the Procedures would come in, for the front-line experts). 

The program is designed to be instructive to the lines of business and senior management on each area’s role as it pertains to third party risk management.

Determining the inherent risk and the residual risk of
a third party is a key element of doing a robust risk assessment properly.

Inherent Risk

Think of inherent risk as the level of risk you notice when you first walk in the door, virtually or actually.  It’s just about your first impression – your first glance at their financial statement, your first walk through of the call center, your first review of their compliance activities – these are, admittedly, based on limited knowledge but they should give you a good leading indicator of where the biggest risks are.  

Residual Risk

Residual risk is never higher than inherent risk – if you think it is, then you likely misidentified the inherent risk. The risk when you wander on to the next vendor should never be higher than when you first got there – your impression of the risk should always be equal to or perhaps less than the inherent risk level – otherwise, it’s important for you to go back and determine if you mis-identified the inherent risk or whether the mitigating controls are effective.

A service level agreement – commonly called an SLA – is a key component  of every contractual relationship with  your third parties. 

"An SLA is “an agreement that sets the expectations between the service provider and the customer and describes the products or services to be delivered, the single point of contact for end-user problems and the metrics by which the effectiveness of the process is monitored and approved.” Gartner

The SLA should be developed between your two
companies – the institution and the third party.
Ideally, it will be tailored to the products and services the third party is providing.

Centralized: All responsibility for vendor management rests with a single team, typically the compliance officer or the third party risk management team.

Decentralized: Various lines of business select and work with the vendor directly. This means that vendor risk or compliance may set the rules but rely entirely upon the front-line management to execute.

Hybrid: The vendor management office sets the guidelines and checks the results while working closely with the business units. This model proves particularly effective in larger organizations.

• Required by all of the major regulatory agencies
• Assists in the creation and execution of a set of protocols designed to manage the risk of outsourcing a product or service
• Helps mitigate risk in order to protect your organization and customers
• Ensures you have a set of guidelines in place that the organization must follow regarding contracting with and managing vendor relationships
• Assists with prioritizing vendor oversight by level of risk