A clear and bold header

Red Flags within Your Vendor’s BCP | VendorInsight®

Posted by Rachel McKenzie on Jun 3, 2019 11:14:38 AM

Red Flags within Your Vendor’s Business Continuity Plan

Significant events, including natural disasters and massive cybersecurity breaches, will not only impact your vendor’s operations, but yours as well. Your data could be lost, your processes can be slowed or stalled, and your reputation could be hurt. To protect your organization and stay proactive, you need to understand a vendor’s Business Continuity Planning (BCP) and Disaster Recovery (DR), their processes of creating systems of prevention and recovery to deal with potential threats.

To do so, your organization should be reviewing the vendor’s BCP annually as part of your ongoing monitoring after you’ve selected and contracted with them, to determine if there are any concerning red flags. But what would be considered a red flag?

Read More

Topics: vendor reviews, Cybersecurity, Business Continuity, BCP, Experts, RTO, RPO, Business Continuity Plans, Recovery, Breaches, Disaster Recovery

Handling Problematic Vendors | VendorInsight®

Posted by Rachel McKenzie on May 17, 2019 9:22:05 AM

How to Handle Problematic Third-Party Vendors

Many companies rely heavily on third-party vendors to help meet both contractual obligations and consumer demand. With such business relationships, however, comes the potential for disruptive natural and human-made events risks.

Even the most reliable vendors can suddenly and unexpectedly perform poorly, causing a previously healthy and mutually beneficial relationship to head south. When faced with such a dilemma, what can be done to fix a problematic vendor’s performance? And at what point is the decision made to terminate a relationship with a vendor?

Read More

Topics: Third-Parties, monitoring, vendor performance reviews, Risks, Reputation, penalities, brand, suppliers, SLA, Problematic Vendors

What Vendor Oversight You Should be Performing | VendorInsight®

Posted by Rachel McKenzie on May 10, 2019 10:21:32 AM

How Much Vendor Oversight Should Your Company be Performing?

It’s a common practice for enterprises to conduct due diligence on any prospective third-party vendor. But why do so many organizations fail to regularly evaluate their existing vendors?

A poorly managed vendor oversight program can be a point of pain for any institution hoping to function smoothly and efficiently. Without a consistent program for managing vendor risk, banks and financial institutions, in particular, face non-compliance with government regulations. This can not only pose financial risks but can also diminish a company’s reputation. 

Read More

Topics: Third-Parties, vendor risk management, risk alerts, compliance, Audits, vendor, oversight, regulation, monitoring, regulators, vendor performance reviews

Tracking 4th Party Vendors | VendorInsight®

Posted by Rachel McKenzie on Apr 19, 2019 8:21:48 AM

The Importance of Fourth-Party Vendor Tracking

Third-party vendor breaches are on the rise, but what about fourth-party risk? A fourth party is a subcontractor to your vendor, someone your vendor relies on or subcontracts to. The effectiveness of your vendor and the risk to you increasingly depends on fourth parties as your vendors outsource and subcontract critical activities. 

They go by a lot of names, including providers and strategic partners, and can provide bill pay, mobile banking, core processing, legal or other services.

Read More

Topics: fourth party, risk management, vendors, subcontractor

VendorInsight® Performs On-Site Vendor Visits | VendorInsight®

Posted by Rachel McKenzie on Apr 5, 2019 9:01:15 AM

Let VendorInsight® Perform Your On-Site Vendor Visits

Vendors are increasingly important for banks as they can perform consulting, process transactions, reduce costs and implement controls, all while directing your focus to core business functions and objectives. How many of your bank’s products depend on multiple vendors? How many of your vendors are managing your customers’ private data? For these reasons, regulators have been demanding that banks keep closer tabs on their relationships with third-party vendors.

Read More

Topics: Collaboration, SaaS, VendorInsight, On-site Visit

The Hassle of Hiring a Vendor Manager | VendorInsight®

Posted by Rachel McKenzie on Mar 22, 2019 8:57:20 AM

Is Hiring a Vendor Manager Worth the Hassle? 

Whether managing risk in one department or throughout the enterprise, analyzing and selecting the best vendor at the right price, delivered in a timely fashion, is a critical part of the risk management process.

That’s where vendor managers come in. A vendor manager facilitates the relationship between their business and its vendors while meeting contractual obligations and compliance.

Read More

Topics: vendor management outsourcing, SaaS, Vendor Manager, VendorInsight, Lower Costs

Similarities Found Between VendorInsight® and Green Icebergs in Antarctica | VendorInsight®

Posted by Grant Karnes on Mar 15, 2019 10:13:55 AM

Similarities Between VendorInsight® and Green Icebergs in Antarctica

 Icebergs are normally blue but some few Antarctic icebergs are green, and scientists may know why.  These icebergs contain high levels of iron and may have a greater purpose.  As the green icebergs float out into the ocean and melt, they deliver the iron to phytoplankton who benefit from it as a nutrient. 

Read More

Topics: risk management, Collaboration, Scalability, SaaS, Big Iron

Delivering VRM Solutions | VendorInsight®

Posted by Rachel McKenzie on Mar 13, 2019 11:47:53 AM

Delivering Vendor Risk Management Solutions

In this current economic climate, risk management is more important than ever. Companies only beginning to develop risk management programs haven’t yet realized the potential benefits of a structured solution for managing vendors. This includes reducing costs and risks while creating a competitive advantage against organizations who aren’t managing their risk.

Read More

Topics: vendor risk management, Cybersecurity, board members, risk assessment, Transparency, Automation, Collaboration, Return on Investment, Stability, Scalability, C-Suite

ROI on Automated Vendor Management | VendorInsight®

Posted by CMPG Risk Solutions on Feb 28, 2019 8:52:44 AM

7 Ways Automating Your Vendor Management Can Deliver ROI

Without a structured vendor management solution, your company is probably losing money every year from overspending on contracts with third parties. A solution to this is optimizing your vendor spend and reducing the amount of staff time spent on management. More and more companies are doing this by automating their vendor management, with options including web apps and cloud-based solutions that can handle most, or all, of these tasks with tools that offer a unique set of features.

Read More

Topics: Third-Parties, due diligence, risk management, risk management simplified, Configurable, Transparency, Automation, Collaboration, Return on Investment, Audits

Software User Groups Matter | VendorInsight®

Posted by CMPG Risk Solutions on Jan 30, 2019 3:45:53 PM

Why Having a User Group Matters

Have you ever wished that a piece of software could be updated and tailored as your organization’s needs change? Most industries today are constantly evolving as technology is accepted and integrated. This is why choosing a vendor management software tool that has a user group is so important. User groups provide valuable insight into customer needs and improve the software for everyone involved.

Read More

Topics: vendor reviews, vendor risk management, Configurable, User Groups, Conference

Custom Vendor Management Reports | VendorInsight®

Posted by Ryan Fox on Jan 17, 2019 10:07:08 AM

Custom Reports:

If You Collect Data on It, You Can Create a Report for It

No two companies are exactly alike – in the way they operate or in the way they manage their vendors. The same is also true of a company’s reporting needs. One leadership team may have a different priority or consider a different metric to be mission critical. Regulatory teams or auditors may ask for data based on their current priorities.

Read More

Topics: vendor reviews, vendor risk management, Configurable, Reports

Market Risk Alerts: The Importance of Monitoring Vendor News | VendorInsight®

Posted by Ryan Fox on Oct 15, 2018 9:45:00 AM

Market Risk Alerts: Why Vendor News Monitoring is Valuable to Your Company

Scouring hundreds of news sites in search of any mention of your vendor companies or setting up electronic alerts to notify you when a crucial supplier makes headlines – this can sometimes seem like a waste of time. In fact, when done right, vendor news monitoring delivers significant value to your organization.

Read More

Topics: vendor risk management, news monitoring, risk alerts

Due Diligence: Plan to Outsource It Next Year | VendorInsight®

Posted by Ryan Fox on Sep 17, 2018 10:04:19 AM

 It’s that time of year – prepping budgets for the upcoming calendar year. As you think about your resource allocation, consider outsourcing as an alternative to increasing staff to complete your due diligence review.

Read More

Topics: due diligence, vendor management outsourced

3 Ways to Create a Competitive Advantage with Vendor Management Automation

Posted by Rachel McKenzie on Aug 30, 2018 10:04:51 AM

Organizations often have very few employees working in vendor management, leading to heavy workloads. Manually tracking, monitoring, and reviewing vendors assumes vast amounts of time and resources. About half of financial organizations do not utilize an automated vendor management platform for tracking and assessing vendors. Adopting an automated vendor management system not only allows organizations to become proactive while easily staying on top of due diligence, but also delivers insight into the effectiveness of your compliance strategy.

Read More

Topics: outsourced vendor management

New Watchword: Subservice Organization

Posted by Jay Fitzhugh on Mar 28, 2018 5:15:14 PM

By now, many organizations have begun to receive control audit reports covering 2017 (SOC1/SSAE18 and SOC2). One element of note is the emergence of subservice organizations, or fourth parties, in reports generated after May 1, 2017.

It is interesting to see the reveal of underlying providers (fourth parties) within the updated reporting formats. While these new formats intentionally define what is being performed by contracted fourth parties, the disclosure of who is performing these efforts is often not as revealing as we expected or hoped. At times, there is a fog placed on the identities of fourth parties; phrases like "industry-recognized third party" or "subservice organization" are inserted in place of the names of the companies your vendors have outsourced responsibilities to.

Read More

Topics: Insider, Banking, Banks, Vendor management, subservice, control audit, control audit report, SSAE18, fourth parties, fourth party

Use Vendor Management to Stay Competitive

Posted by Jared Howe on Mar 28, 2018 4:45:46 PM

New tax plan is enabling many banks to invest in technology that helps them be more competitive. Vendor management is leading the way. 

At this year's ABA National Conference for Community Bankers (NCCB), ABA President Rob Nichols
discussed how banks are already spending based on savings they'll see under the new tax plan. According to ABA polling, banks are reinvesting their projected tax savings in their employees, customer growth, philanthropic activities, and technology to help them gain a competitive edge. This is going to put pressure on other banks to invest or get left behind.

Read More

Topics: Competition, ABA, Third-Parties, Banking, Tax Plan, Banks, American Bankers Association, ROI, Vendor management


Posted by CMPG Risk Solutions on Dec 22, 2017 1:26:00 AM

New Year, Same Story

The Office of the Comptroller of the Currency’s (OCC) Committee on Bank Supervision (CBS) released its annual operating plan setting forth the agency’s supervision priorities and objectives for the fiscal year (FY) 2018; October 1, 2017 to September 30, 2018. You can find a direct link to the operating plan at the bottom of this post.

New year, new focus right? New priorities. New objectives. Well… not exactly.
If you’re familiar with the OCC’s past FY operating plans, it’s likely that you will experience déjà vu reading through the OCC’s FY 2018 operating plan. But just because this plan echoes prior years doesn’t mean it should be disregarded. The OCC hasn’t much shifted its focus or priorities, and that means we shouldn’t either.

Once again, if risk management is the target, third party relationships are at the bullseye.
The Midsize and Community Bank Supervision (MCBS) Department for FY 2018 is focused on operational risk. This means assessing information security, data protection, and third party risk management including risks associated with third party relationships (as defined in the OCC’s Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance”). Specifically, examiners will be evaluating bank management’s plans to respond to increasing operational risk as a result of third party relationships, including outsourcing providers.

Furthermore, midsize and community banks will be assessed on enterprise data governance, including vendor and third party management, which typically influences systems capacity, testing, security, sharing, monitoring, and retention.

One piece of the operating plan that is particularly interesting is the section about service providers… particularly their pending evaluation of interconnectivity and third party risk management. This means that while your bank is being assessed on third party vendor risk management, your third party vendors will be assessed on their third party vendor relationships (aka, your fourth party vendor relationships). This is likely in response to the SSAE 18 standard for fourth party vendor relationships that went into effect May 1, 2017.

This much is certain: the OCC has and continues to express concern for interconnectivity and interdependency of third party vendor relationships. Banks will need to demonstrate a resilient and well-defined program for identifying, assessing, and managing third and fourth party risk. They will need to be aware and proactively working to prevent any gaps in the planning, due diligence, oversight, and control of their vendor relationships.

FY 2018’s operating plan priorities and focus might not be too different from past years, but that means that if your bank’s vendor management program has slid under the OCC’s radar in past years, 2018 is the year to tighten up your vendor management program before they (inevitably) do come knocking. The best way to ensure you’re in compliance with the latest regulatory guidance? A professional, automated vendor management solution.

VendorInsight® helps banks by providing a centralized, easy to use platform for all of your vendor management needs. We give you the tools to help automate your vendor management process and strengthen your program. VendorInsight® due diligence services provide annual updates to your SSAE18/SOC reviews, financial reviews, OFAC verifications and more.

To talk with a VendorInsight® team member about how we can help strengthen your vendor management program in preparation for the OCC’s 2018 examination priorities, follow the link below:

Read More

VendorInsight's VRM PRO Director & Chief Regulatory Advisor Recently Featured in Credit Union Times Magazine

Posted by CMPG Risk Solutions on Sep 20, 2017 2:52:00 AM

"Financial institutions are upping their investments in change programs, and experts say credit unions that ignore this trend could be left in the competitive dust."

Our very own Jay Fitzhugh, VRM Pro Director and Chief Regulatory Advisor for VendorInsight, was interviewed by Credit Union Times Magazine for an article titled "Pouring Money Into Change Programs." Jay was sought for his insight stemming from over 20 years working in the financial world.

To see the full article to read what he has to say about change programs for credit unions, follow the link below:

Read More

Single Sign-On (SSO): What it Is, Benefits, and Risks

Posted by CMPG Risk Solutions on Sep 14, 2017 2:22:00 AM

Single Sign-On (SSO) is a service that allows users to need only a single set of login credentials (username and password) to access multiple applications during their session. The goal of SSO is to minimize the number of times a user has to log in at various websites or applications by having the user manually log in at one site or application (called the identity provider or IdP), and then being automatically logged in, without having to provide credentials, at one or more other sites or applications (called service providers or SPs).

In addition to streamlining the user’s working experience, SSO is also helpful on the back end with monitoring user accounts and providing a log of user activities.

There are two single sign-on flows supported by the Security Assertion Markup Language (SAML) v2.0: IdP-initiated SSO and SP-initiated SSO. In IdP-initiated SSO, the user starts at the IdP site, logs in, and clicks a link to the SP site which then initiates SSO.

In the SP-initiated SSO, the user starts at the service provider site and, rather than logging in at the SP site, SSO is initiated with the IdP (as long as the user is already authenticated at the IdP--if they are not, then the user will have to enter their credentials).

At the end of a user’s session, there are two types of single logout flows that can occur: IdP-initiated and SP-initiated. Again, with IdP-initiated single logout (SLO), the user will start at the IdP site and click a link to log out, effectively logging the user out of every SP site to which there is an SSO session as well.

In SP-initiated SLO, the user will again begin at the service provider site. The user will click a link to log out of the IdP site, and effectively also be logged out of every SP site to which there is an SSO session.

While single sign-on is a highly sought service by users due to the great convenience it provides, organizations should also pay attention to the risk it can create to enterprise security. If an attacker gains control of a user’s SSO credentials, they’ll have access to all of the SP sites and applications that user has permission to, increasing the amount of damage they can inflict. It is imperative that a relationship of trust exists between the identity provider and the service providers. Service providers must trust that the identity provider has authenticated the user.

VendorInsight supports single sign-on via the SAML v2.0 Assertions, Protocol, Binding and Profiles as defined by the OASIS standard. For more detailed information please refer to the SAML v2.0 specification documents at www.oasisopen.org

To learn more about this feature and how it works within the VendorInsight risk management software, please contact a team member using the link below and we will follow up with you as soon as possible.

Read More

Topics: vendor risk management, single sign-on

Unexpected Results of the FDIC's Recent Evaluation

Posted by CMPG Risk Solutions on Aug 10, 2017 2:34:00 AM

Remember the FFIEC’s 2015 Appendix J addition to the Examination Handbook? The addition covered business continuity planning for your technology service providers (TSPs). Appendix J presented a new standard for TSP contractual requirements—its purpose to strengthen the resilience of outsourced technology services—which regulators expected financial institutions to adopt and implement moving forward.

Moving ahead to 2017, two years after the introduction of Appendix J, regulators performed an evaluation of TSP contracts as they pertain to the third party vendor management responsibilities for insured and supervised financial institutions. The evaluation, which sought to determine the effectiveness of the prior guidance in altering TSP contract terms, focused on cybersecurity readiness and responsibility, and the use of subcontractors (aka your fourth parties).

In response to the findings of their evaluation, the Office of the Inspector General (IG) of the FDIC issued EVAL-17-004. According to the report, the IG, “did not see evidence, in the form of risk assessments of contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that TSPs may have on the FI’s ability to manage its own business continuity planning and incident response and reporting operations.”

The report went on…

“Typically, FI contracts with TSPs did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights. Contracts also did not sufficiently define key terminology related to business continuity and incident response.”

This is not the outcome any of us would have expected.

As a result, the FDIC Inspector General has laid out a few recommendations. First, the Division of Risk Management Supervision (RMS) of the FDIC must communicate to FIs the importance of fully considering and assessing the risks that TSPs present. FIs must ensure that contracts with TSPs include specific and detailed provisions that address FI-identified risks and protect FI interests. And finally, FIs must clearly define key contract terms that would be important in understanding FI and TSP rights and responsibilities.

In the meantime, it may be wise for your organization to revisit and freshen up on the 2015 FFIEC Appendix J addition to the Examination Handbook, and be aware of the possible implications this report may have on future examinations.

Read More

Topics: vendor risk management, Appendix J, FDIC

VendorInsider Blog

Insight into Vendor Management Best Practices, Challenges, Solutions and Trends from Industry Insiders

As one of the longest running and most advanced vendor management software solutions, the helpful people of VendorInsight® have a unique perspective on third-party risk, compliance and management.  In the VendorInsider Blog, we share our insights on timely and relevant issues facing vendor managers.  You can subscribe using the button below, or contact us with questions.

Subscribe to Our Blog

Recent Posts

Posts by Topic

see all