Pub. 4 2013 Issue 4

www.wvbankers.org 16 West Virginia Banker V endor management controls have been discussed extensively over the past few years. The main reason for the increased coverage is directly related to the increased reliance on vendors in order for banks to deliver products and timely services to their customers. With the increased reliance on vendors for the de- livery of customer services, assessing the risk with key vendors that bank’s utilize has become increasingly important to the bank’s overall enterprise risk management process. While bank management can del- egate the responsibility to complete certain tasks, bank management cannot delegate the accountability for those tasks. Vendor management has also been a focused area during regulatory examinations. This point was emphasized during a seminar I recently attended that included repre- sentatives from various bank regulatory agencies. During one of the presentations, the current top five risks were listed from an audit perspective - one of the items listed was vendor management. Definition of a Vendor When vendor management is discussed, outsourced service providers are the ven- dors that are typically identified for inclu- sion in the vendor management process. Historically, the vendors included were the outsourced service provider for core processing services and other important product offerings such as internet banking solutions. With the increased utilization of cloud service providers (i.e. backup, eMail, anti-virus solutions, patch man- agement solutions, etc.), other outsourced vendors have recently been discussed in the vendor management process. In addition, with the increasing migration of payments towards electronic solutions, other contracted vendors could potentially store customer information and / or other sensitive information. In a sense, the vendor becomes an extension of the bank as it relates to the delivery of customer ser- vices. Even if a bank does not outsource key components of their customer service delivery solutions, vendor management is still a very important and critical part of the bank’s overall enterprise risk manage- ment process. The bank is significantly re- lying on vendors for the effective delivery of customer services. Vendor Management Policy / Program Bank management should develop a for- mal vendor management policy. The fol- lowing areas should be considered when developing a vendor management policy / program: • Bank personnel responsible for main- taining the policy. • Address the various risk components that arise when electing to use a vendor to assist in provided customer products and services. • Due diligence in selecting a vendor. • Due diligence procedures for existing vendors. • A reference to the vendor risk assess- ment process. • Contractual requirements. • Assessment and monitoring. • Insurance considerations. Other areas that are considered appropri- ate for your specific environment should also be included when developing a ven- dor management policy / program. Vendor Risk Assessment An important component of the bank’s vendor management process is the com- pletion of a vendor risk assessment. The purpose of the vendor risk assessment is to assist bank management with identifying critical vendors that will require additional assessments and monitoring. Some of the risks to be considered during the vendor risk assessment include: • Strategic risk – Inaccurate informa- tion could result in bank manage- ment making poor strategic deci- sions. • Reputation risk – Errors, delays or omissions in information technology that become public knowledge or directly affect customers can signifi- cantly impact the reputation of a bank. • Operational and Transaction Risk – Risk that could arise from fraud, error or the inability to deliver prod- ucts or services, maintain a compet- itive position, or manage informa- tion. Vendor Management Growing Risk for Financial Institutions By Chris Joseph, CPA, CISA, CRISC, CITP