Vendors, especially larger companies, often provide numerous different products and services for financial institutions. For example, you may be using one company for your core processing, BSA and compliance mitigation, and information security needs. However, each of these needs is provided through a different product or service. While it is true that the financials will almost always be the same from product to product, due diligence and risk assessment should be performed on the product or service you are using and not just the company. There are a couple reasons for this.
First, due diligence needs to focus on the relationship between the product or service and its parent company. For example, is the product or service consistent with the parent company business strategy? Does the parent company use appropriate controls in the application of the product or service? How much is the vendor spending to develop the product or service, and would they be stable without it? What is the market share for the product or service? Is the SSAE 18 appropriate for the scope of the product or service?
Second, the risks associated with each product or service will differ, and consolidating them within the parent company will provide an inaccurate representation of risk. For example, if you used ABC Company both for your core processor and for your check printing, the risk associated with business continuity and disaster recovery would be completely different. That is, if check printing fails, you may take a small reputation hit, but you could make it for a couple weeks. If core processing fails for two weeks, the damage would be detrimental. Combining those risks into one overall risk would be inaccurate.
Contact Quantivate today to learn more about how our Vendor Management Software and Services can reduce your organizational risks and ensure your vendor management program meets regulatory requirements.