The increasing emphasis by regulators on how financial institutions manage vendors and contracts force many organizations to evaluate their vendor management processes and software tools to ensure that their next audit goes smoothly. However, in today’s economic environment, many institutions must do more with fewer resources to manage their vendor contracts and risks. Failure to manage vendors can lead to greater opportunities for mistakes that ultimately lead to failing an audit.
Below are some tips to successful vendor management:
1. Proper Inventory and Classification: Identify all vendor relationships that exist in the organization. Review each relationship and analyze the criticality of each vendor. Store all your critical data and information in one location for easier access.
2. Perform Due Diligence: Due diligence requires investigation into a vendor’s ability to meet the requirements of the proposed service and an inquiry into the vendor’s financial ability to deliver on its promise. On-going due diligence for existing vendors considers the following areas: financial, information security, business continuity, human resources, legal, compliance, operational performance, and reputation. Wherever possible independent validation of vendor compliance should be collected and reviewed (e.g.: SAS70/SSAE16, financials, BC/DR plans, insurance certificates, IS audit, etc.).
3. Do a Regular Risk Assessment: Risk Assessment takes into account the importance of business functions to the organization, and analyzes how much risk the vendor has mitigated through their own internal efforts. You should mitigate the risk of continuing to do business with high risk vendors.
4. Contract Management: A strong contract with a significant vendor is essential to properly maintaining long-term relationship with the vendor. Even relationship with vendors that provide low-risk services should be documented in simple contracts.
5. Ongoing Supervision and Monitoring of Vendors: Monitoring and supervision should include an ongoing review of the vendor’s financial condition, policies, internal controls, and ability to meet its obligations. Doing this increases accountability and transparency between your organization and all vendors.