Title: Vendor Risk Management: When Done Right, It's Never Done
Abstract: [ILLUSTRATION OMITTED] SMALL banks seeking to manage risk from vendors and other third parties share something in common with a mom and-pop retail store: They've got to continually take inventory. Eric Holmquist, president of Holmquist Advisory, an enterprise risk management consulting firm, says the key for small banks seeking to better manage risk from vendors is to rank those third parties according to their level of risk and continue to perform due diligence throughout the life of the relationship. It's important to maintain a comprehensive and current inventory of all third parties where you're risk-ranking them based on the criticality of the service they provide along with the level of information that you're exposing to them and developing an appropriate due-diligence process commensurate with the level of risk of each of the vendors, Holmquist says. He adds that many community banks historically have failed to stay on top of their third-party relationships, often because of a lack of manpower and resources. Small banks typically focus on two or three core vendors that pose the most risk due to the important services they provide and the personally identifiable information they have access to, he explains. But those core vendors typically aren't the ones that pose the biggest problems for banks, Holmquist says, because they usually are large enough to have fairly significant control infrastructures and risk management programs. problems typically stem from second-tier vendors that are still critical to the bank but may not be big enough to have adequate risk management infrastructure in place, which creates exposure for the bank. I often say that if you don't have a complete inventory of every third party that has your data, you don't have a vendor management program, Holmquist says. That's the tough-love answer. These inventory pieces sometimes are where we see the biggest problems. If you don't have a good inventory, you're done. rest is meaningless. For an average community bank, if you're really doing proper vendor due diligence, this could very quickly become someone's fulltime job, he explains. That seems very hard to believe for a lot of people, but the process of doing ongoing due diligence with a decent chunk of vendors can be very time consuming. But it's a good thing; it's a good practice. Ana Foster, a vice president and risk and compliance officer at Cambridge Trust Co., a $1.5 billion bank in Cambridge, Mass., says community banks rarely have the resources to dedicate someone solely to managing vendors. Instead, that responsibility often is handled on a part-time basis by a bank employee who has other responsibilities, such as IT. But for small banks that can dedicate an employee solely to third-party risk the investment pays off, Foster says. The most important tool we have is a person who is dedicated to vendor management, she says. And that has put us in a position of having someone who can maintain the expertise on an ongoing basis and also has the time to work closely with the business side who owns the relationship and can work with the vendor or other stakeholders within the bank when necessary. One of the keys to success for our vendor person is that he has a technology background. He understands technology, but he also understands the banking side of it and understands that it's not all about technology. Michele Sullivan, a partner at Crowe Horwath, a public accounting and consulting firm, says many small banks make the mistake of only scrutinizing a vendor at the start of the business relationship, when the bank is determining which vendor to use. Instead, banks should recognize that third-party risk management is an ongoing process that doesn't end until the termination of a contract. Sullivan points to the recent mortgage foreclosure crisis as proof of what can happen when banks don't perform an ongoing evaluation of a third party's business practices. …
Publication Year: 2015
Publication Date: 2015-07-01
Language: en
Type: article
Access and Citation
AI Researcher Chatbot
Get quick answers to your questions about the article from our AI researcher chatbot