A clear and bold header


Posted by CMPG Risk Solutions on Feb 17, 2016 2:36:00 AM

If you have not seen the invitation for our annual User Group meeting on May 3rd in Nashville, Tennessee, please let your VendorINSIGHT® Program Administrator know so that we can be sure that you have all the details. Based upon feedback from clients who attended the meeting in Baltimore last year, this meeting was well received and provided an excellent forum for idea sharing among VendorINSIGHT® peer users and the VendorINSIGHT® management staff.

One area within Vendor Risk Management that continues to garner attention from the news media and the Regulators is Cybersecurity practices. From the consulting side of our business, three articles have been published in the last six months with regards to providing insight and guidance on IT Risk Management practices specifically aimed at the non-technical executives, inclusive of recommended Cybersecurity training for directors and how to prepare and respond to a data seizure. These can be found at our CMPG website.

In our upcoming meeting, we currently plan to continue on the theme of Cybersecurity education with a presentation on the background and key tenants of Cyber Insurance policies. Please let VendorINSIGHT® know if this is a topic that rings true in your role as the gatekeepers for Vendor Risk Management. We hope to see you in Nashville!

Read More


Posted by CMPG Risk Solutions on Dec 30, 2015 2:37:00 AM

VendorINSIGHT announced the latest updates to our Vendor Risk Assessment and Vendor Performance Scorecard modules earlier this month. The recent changes enhanced the customer's flexibility to update the templates in the platform as desired. We are very satisfied with the positive feedback we've received about the updated modules.

The Vendor Performance Scorecard (VPS) module's redesign will improve usability, allow for increased customization as requested by our customers and accommodate future data trending. The new VPS-2 design provides all of the functionality of the VPS-1 module and provides better flexibility for customization. The survey builder accommodates an unlimited number of questions and continues to track service levels.

We understand that not all of your vendors, suppliers and third parties demand the same attention. Each provider's risk to the institution constantly varies. With the introduction of Vendor Class, customers can configure multiple risk assessment templates that are dependent on the each vendor's class or risk to the organization making the risk assessment multi-level.

On a final note, VendorINSIGHT would like to thank each and every one of our valued customers. 2015 has been a year for the books. We look forward to continuing to please our customers in the years to come.

Read More

VendorInsight® Responds to Nov. 10 FFIEC Update

Posted by CMPG Risk Solutions on Nov 17, 2015 2:50:00 AM

VendorInsight_square logo_blk_rbg-3

Last week on November 10th, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Management booklet, which is part of the FFIEC Information Technology Examination Handbook. Information Technology governance and risk management were the key elements of the update. Cybersecurity as an element of Information Security was introduced as an expansion upon the definitions of Cybersecurity for third-party vendors published in February, as a part of the Appendix J addition to the IT Examination Handbook. 

Given the expanded focus upon IT Risk Management, and the added requirement of Cybersecurity awareness, VendorInsight® has responded with changes to our standard Vendor Risk Assessment (VRA) and Information Security Questionnaire (ISQ) templates. These changes include validation or denial of cloud-computing within a vendor’s delivery of products or services and validation as to a detailed understanding of the vendor’s Cybersecurity posture.

The revised VRA template will be available for client review in the "About" section of the "Tools" menu on the Client Access Portal on November 20th. The revised sample ISQ template will also be available to clients who have enabled the Vendor Relationship Profile and Policy Compliance (VRP/PCM) modules. Please contact your Program Administrator if you require assistance with updating your VRA master template or if you would like to receive the updated ISQ template.

Read More

Topics: compliance management, vendor management software, FFIEC


Posted by CMPG Risk Solutions on Jul 29, 2015 2:46:00 AM

July 29, 2015 – VRM Pro™ is VendorINSIGHT®’s solution to your vendor management problems. VendorINSIGHT® is the industry leader with extensive consulting and outsourcing expertise in vendor management since 1998. With VRM Pro™ our team will become your vendor management department.

We classify your vendors, rate their criticality, perform due diligence and keep all your documentation up to date. All that you have to do is simply review the results of our analysis and determine whether to accept the risk of the vendor relationship or to mitigate risk through additional controls.

Contact a VendorINSIGHT® representative to learn more about how VRM Pro™ provides Return on Investment benefits and can save your organization time.

Read More


Posted by CMPG Risk Solutions on Apr 15, 2015 2:43:00 AM

April 15, 2015 – VendorINSIGHT® announced today the release of VendorINTEL™, a turnkey vendor management solution for institutions under $1 Billion in assets. VendorINTEL™, powered by VendorINSIGHT®, allows you to monitor your risks and manage vendor relationships while meeting regulatory requirements at a cost friendly price!

The VendorINTEL™ set-up process is easy, allowing potential customers to register an account with a 30-day unconditional, money back guarantee if not 100% satisfied. You can find additional information about the newest VendorINSIGHT® vendor management solution on the VendorINTEL™ website.

Read More


Posted by CMPG Risk Solutions on Mar 24, 2015 1:52:00 AM

Coming on the heels of the business resiliency guidance of third party service providers released in February, the FFIEC issued a press release last Tuesday detailing their focus for the remainder of 2015 on Cybersecurity. This is in addition to the discussion of Cybersecurity Resiliency within the just released Appendix J to the IT Examination Handbook series. The pilot cybersecurity assessment completed in 2014 by the FFIEC with 500 institutions has led them to detail multiple efforts to help the industry self-assess and prepare for cybersecurity threats.

We see three key issues coming from this press release:

1. A cybersecurity self-assessment tool is being finalized to allow FIs to evaluate their own cybersecurity posture. We would predict that once this tool is released, this will become an important future exam element, and will likely need to be integrated into all measures of operational risk measurement, including services received from third party providers, and risk rated within solutions such as VendorINSIGHT®.

2. The press release notes that they are not yet done with guidance as it relates to third parties. Specifically the FFIEC will “expand their focus on technology service providers’ cybersecurity preparedness.” As was addressed with the updates to our software solutions in February on Business Resilience, we would expect continuing updates to our VendorINSIGHT® and BCP-Insight™ solutions to keep pace with best practices and guidance.

3. IT Governance expectations will increase. Per the press release, the FFIEC “will enhance their incident analysis, crisis management, training, and policy development” which likely means this expansion and coordination at the regulatory level will end up in the policy and procedure guidance for deployment within your organizations, and overseen by management and the board.

We applaud the FFIEC for getting this critical element of security and risk to the forefront and leading the key partnering between the public and private sector. We are not surprised, as we had provided earlier commentary in our blog entry in June of 2014. Stay tuned into Channel VendorINSIGHT and we'll keep you abreast of how our systems will continue to evolve to meet these new requirements as they are announced.


Read More

Vendor Management Expectations Impacted by FFIEC Expansion of Business Continuity Handbook

Posted by CMPG Risk Solutions on Feb 28, 2015 2:39:00 AM


 The FFIEC recently expanded its guidance by adding an amendment to its Business Continuity Planning handbook. Introducing the concept of "Business Resiliency," there are a number of NEW testing and vendor review requirements that pertain to third parties and outsourced technology service providers that must be included in vendor management programs, risk assessments and vendor profiles.

We anticipated this with the integration of our BCP system to VendorInsight® in January of this year and have already updated VendorInsight® to comply and meet 100% of this new guidance. Many of our customers are using the integrated features of our BCP-Insight™ system and reaping the benefits of this integration.

We expect more updated guidance and prescribed compliance from The Federal Reserve, OCC, FDIC and CFPB later this year and will keep you updated. Stay tuned here.


Read More

Topics: FFIEC, Business Continuity

Business Continuity Management System Integrates to VendorInsight!

Posted by CMPG Risk Solutions on Jan 13, 2015 1:31:00 AM

With release 6.8.0 we've fully integrated our BCP-INSIGHT™ and VendorINSIGHT® systems into a single Enterprise Risk Management (ERM) suite. Look for more important enterprise risk features and services to be introduced in 2015.

With total database integration and crossover matrix user credentialing, now our customers can define roles and workflow that transcends the traditional departmental boundaries to see risks, vulnerabilities and remediation statuses across vendors, departments, and business processes. This is a significant advancement for our solution and a leading capability among industry solutions.

CMPG's patent-pending BCP solution brings the user-friendliness, rapid implementation, and reliability of VendorINSIGHT® to the BCP/DR arena as our competitors continue to struggle to keep up with our rapidly advancing lead in the industry!

Read More


Posted by CMPG Risk Solutions on Jan 8, 2015 2:41:00 AM

In 2014, we grew more than 20% and we expanded our presence with large and medium sized financial institutions as well as with smaller ones and in other industries. We've been swamped and working hard these past few record-setting months! We also successfully introduced four major releases with fantastic workflow features and helpful reporting along with new content management features.

There seems to be a division emerging in the industry right now. At one end of the scale, there are super-large enterprises and Fortune 100 companies looking for large-scale enterprise platforms to manage enterprise risk and vendor/supplier risk all together. We call these the ERM solutions. At the other end of the scale - typically banks below $50B in assets and Fortune 500 to 1000ish companies - customers are looking for sophisticated and complete vendor management systems, without the complexity, cost and enterprise headaches.

This makes sense, on the surface it would seem that an all-in enterprise risk system could save some money but the ERM players were late to the game with vendor management and are still a ways from catching up. There simply aren't the features, workflow, tools and monitoring services in their systems and there might never be because vendor risk management is only one small part of the overall enterprise equation. The reality is that the dedicated vendor management solutions do a much better job, and a much more productive job of helping customers manage a complex process like vendor management that is already sophisticated, crosses multiple organizational boundaries and requires advanced tools and reporting and workflow. In other words, they're useable and more oriented toward the things vendor management and third party risk management groups need to do.

For the vast majority of the industry, an ERM solution is far too expensive, it saps IT resources and infrastructure, and the learning curve makes it extremely difficult to achieve simplified processes with the productivity needed without hiring additional personnel. So far, the market tells us we're on the right track with our advanced software that can easily be put to effective use by both small and large companies, providing scalability, and our exceptional customer service model that consistently achieves the highest ratings!

We've had several customers convert from other solutions to come over to VendorINSIGHT® and to this day we've still never lost a single customer to a competing solution except in the event of an acquisition by a large company who used a different vendor management system! That is something we're proud of....taking care of and helping our customers the way they need us to.

If you aren't already a VendorINSIGHT® customer we hope you'll become one soon so we can help you and take care of you, too!

Read More


Posted by CMPG Risk Solutions on Dec 8, 2014 2:08:00 AM

We opine so often on vendor management, contract management, process design, regulatory guidance and other topics of interest to our community that it is nice to take a break and stop and simply say: "Thank You and Happy Holidays."

This time of year, we are busy wrapping up a lot of proposals for new customers anticipating a budget for a new vendor management system and for existing customers as they head into 2015 with new and expanded budgets hoping to implement new modules and features. These are like presents! As they unwrap them and begin to see how beneficial our Service Team and our VendorINSIGHT® software can be working together, they smile and are more optimistic about the future.

From the entire VendorINSIGHT® team, we wish all of you and your families a warm and wonderful holiday season.

Read More


Posted by CMPG Risk Solutions on Sep 27, 2014 2:13:00 AM

Not all of your vendors, suppliers and third parties demand the same attention. And the differentiation extends well before you ever do a risk assessment. As we've worked with customers that range from Fortune 500 companies to mid-market companies, we've developed a groundbreaking approach to segmenting vendors and their workflow. If you are interested in learning how enterprise data integration, centralized vendor record keeping and vendor metadata can work together to give you control over your entire vendor list and payees, check out a demo of VendorINSIGHT® and see it in action.

Once again, VendorINSIGHT® is leading the industry in business process workflow and integration to ensure that the ROI on your vendor management system is high. We're excited about Release 6.7 and the control and data centralization it gives our customers. Even our smallest customers are benefitting from this important new feature.

Read More


Posted by CMPG Risk Solutions on Jun 30, 2014 2:18:00 AM

This just in. Pretty interesting stuff. In this latest article posted on Bank Info Security, commentary about a new OCC report suggests that OCC warns of infrastructure risks in banking and notes that fraud as a result of cybersecurity risk isn't necessarily the top priority. Rather, deeper intrusions into banking networks and the payments infrastructure "demand that risk mitigation become a priority." The reports goes on to say bankers should ensure that risk management of third-party relationships (aka vendor management) is commensurate with the breadth, complexity and criticality of these arrangements. Reference is also made to the 2013-29 OCC bulletin issued last fall.

What made us really sit up and notice was the following. Aviah Littan, ex-head of NSA, put it bluntly, saying that regulators are going to have to get heavy handed in order to ensure community banks understand the risks and act appropriately. These comments come as more than 500 community banks (up to $10 Billion in assets) are slated to be examined under the FFIEC's new Cybersecurity Risk Assessment program. There's a whole new wave of regulation being formulated around cybersecurity and network vulnerability and it we expect it will most definitely impact your third party and vendor risk management program with new requirements. Stay tuned into Channel VendorINSIGHT and we'll keep you abreast of how our system will continue to evolve to meet these new requirements.

Read More


Posted by CMPG Risk Solutions on May 13, 2014 2:15:00 AM

A while back, we published a couple of white papers that described the various ways in which VendorINSIGHT® generates a return on investment, or ROI, for customers. We recently updated these numbers based on the current environment and discovered VendorINSIGHT® is generating an ROI of more than 800%! There aren't many investments like that these days. It's nice to know that we can improve the financial performance of our customers by helping them deal with regulatory and risk issues in a more efficient, productive, and automated manner. With VendorINSIGHT®, a lot of our unique monitoring solutions that our competitors don't offer - like our news service and our social media and customer complaint monitoring - create even more value on top of the core vendor management system (VMS).

Read More

Who Delivered 782 Vendor Risk Alerts Last Year?

Posted by CMPG Risk Solutions on May 5, 2014 2:56:00 AM

We did. That's an amazing number and it underscores the importance of vendor monitoring. Without knowing what is going on with your vendors - their financial health, whether they are under regulatory sanctions, or if they have had a data breach - you have no idea how risky they are to do business with. Sure, you may have reviewed their information security controls or assessed their financial strength when you started doing business with them...but things change every day. Financial stability deteriorates, data breaches happen and control audits reveal weaknesses and risks. That's why vendor monitoring is important. Every day we monitor the news and market-based risk for more than 650 industry vendors and issue risk alerts to our customers through the VendorINSIGHT® system. It's just one of the many things that sets VendorINSIGHT® apart.

Read More

The 5 Most Important Things to Remember When Designing Your Vendor Management Program

Posted by CMPG Risk Solutions on Apr 22, 2014 2:26:00 AM

We see a lot of companies overthink their vendor management program. Inevitably, they end up tangled in a complicated process design. By its very nature, vendor management is a simple process.

Read More

Topics: Vendor management


Posted by CMPG Risk Solutions on Apr 18, 2014 2:44:00 AM

The Heartbleed OpenSSL bug fiasco reminds us at VendorINSIGHT why we adhere to best practices when it comes to software development and our web-based software for vendor and contract management. Many customers are wondering whether the recently discovered "Heartbleed" OpenSSL security vulnerability affects VendorINSIGHT. VendorINSIGHT IS NOT impacted.

OpenSSL is an SSL software library used by many web servers to manage SSL encrypted communication to web sites. These web servers are primarily Unix and Linux based web servers, primarily Apache servers. VendorINSIGHT runs on Microsoft Internet Information Server (IIS) which does not use Open SSL. IIS comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

Read More

Do You Have a Strategic Plan for Vendor Management?

Posted by CMPG Risk Solutions on Apr 17, 2014 1:58:00 AM

Strategic planning isn't just for business. It can also be used as an effective tool to guide the development of your vendor management program. Asking key questions will reveal insights, force you to face realities and help ensure that you anticipate changes that will occur in the future. Some of these questions might be: "What are the biggest threats and risks my vendor management and third party risk management process face?" or "What resource allocations and succession plans need to be in place to ensure delivery for the future?" or "Do I expect competition to emerge for the risk management services I currently provide for my company?" or "Where do I expect technology to converge to bring me improved productivity in meeting regulatory requirements?"

If you are thinking that vendor management and third party risk management is complicated enough that you have your hands full just keeping up with today's requirements and that strategic planning would be a luxury, you are not alone. VendorINSIGHT, through our office of Client Development, has developed a worksheet that walks customers through the questions they need to ask. This worksheet paints a picture of the complexity, challenges, resources, and trends they will face in the future. It also delivers insights from our industry interactions, customer experiences, and assessment of what the regulators are saying. Completing this exercise can help you communicate to your management team where and when they should expect you to ask for more resources, make additional investments in systems and technology, and how you will develop the existing resources you have so you can be as effective and as efficient as possible.

Read More

Topics: Vendor management, strategic planning, vendor risk management

Who Built Your Vendor Management Software?

Posted by CMPG Risk Solutions on Apr 1, 2014 2:54:00 AM

Do you know who built your vendor management software? It's a funny question and its one that everyone should be asking. We know who built ours.

At VendorInsight® we used to take for granted that our competitors understood vendor management and were true process experts. We often gave them the benefit of the doubt just because they were a competitor and sold a vendor management solution. After a few experiences with new customers who were previously running other vendor management software solutions, we began to realize our assumptions were not true. They weren't getting the help they needed from these companies to continually evolve their vendor management programs and overcome the challenges that every company runs into as their vendor management program grows or as the requirements it must meet expand.

Our history is worth recounting for those who may incorrectly assume the same about us. VendorInsight's web based vendor management software solution was developed and introduced by CMPG, a leading consultancy in banking and financial services, in 2008. Since 1998, CMPG had consulted with Fortune 500 companies, three of the top eight US banks and numerous other financial institutions and companies, helping them build sustainable sourcing and vendor management practices, programs and processes, and training teams of new vendor managers. VendorInsight® emerged as a vendor management software solution built on proven principles of best practices in sourcing, vendor management, contract management and risk management. The initial features in VendorInsight® v1.0 leapfrogged the industry and quickly established VendorInsight® as a premier solution in the industry. This was because our vendor management consultants with decades of real-life leadership and implementation experience were involved in the design process and collaborated with our development team.

Aside from a couple of situations in which our customer was acquired by another company, we have never lost a single VendorInsight® customer - a fact we are very proud of. Our customer retention and high customer satisfaction ratings are metrics by which we measure our expertise, not just our effort, because they are driven by our ability as experts in vendor management to teach, help, coach, and keep our customers oriented toward the success factors for strong vendor management programs and away from the pitfalls and failures of other process designs.

Read More

Topics: vendor risk management, vendor management software

Do I Need to Measure Vendor Performance?

Posted by CMPG Risk Solutions on Mar 11, 2014 1:55:00 AM

A few years ago we were asked by a customer to help them develop some performance metrics for one of their vendor relationships. We helped them establish some inventory and delivery metrics that would measure how well the supplier was supporting a critical part of their business. Our customer's business requirements required some slight changes compared to how the suppliers typically handled business so they were very interested in finding a supplier that could support their needs well. These measures were important to our customer. The competing proposals were close and the vendor's willingness to engage in designing performance metrics that could be tracked was a differentiating factor.

As the data started coming in over the first few weeks there were a few hiccups caused by changes that weren't obvious but were affecting performance - a managerial change here, a software update there. You get the idea. The customer had objective data about the performance level and could approach the supplier so they could collaborate on how to remedy the problem. Our customer even jumped in and offered short term manpower resources one time. Our customer also had some unique subject matter expertise and when they shared this with the vendor the vendor soon adopted this knowledge into their own processes.

Soon the transition performance measures were tracking steadily and it was time to introduce two new performance measures. These would measure different aspects of the vendor's performance and would help our customer attain the strategic objectives they were targeting over the next two years.

This little anecdote illustrates an important point. Managing vendors and their business performance - especially in outsourcing relationships where they are performing critical functions - is as equally important as managing risk. We all know that the risk of a vendor failure is very high but research suggests that the risk of an underperforming vendor relationship is even higher. An underperforming vendor relationship consumes massive amounts of manpower and results in significant productivity losses. Often, inefficient exception management processes consume and overtake the normal process of management-to-goals.

So, what's the good news, you ask. With VendorINSIGHT you can get access to experts that can help you define good performance measures for your vendors and ones that are appropriate for the phase of relationship you are in. With these in place, the VendorINSIGHT system takes care of the rest - delivering the automation and workflow tools you need to capture performance metrics, monitor trend and performance and remediate underperformance. Check out the links below to read about these features and whether they might make sense for you.

Read More

Topics: due diligence, vendor reviews


Posted by CMPG Risk Solutions on Feb 26, 2014 2:32:00 AM

Boy, this theme seems to be coming up a lot these days. We are constantly talking with some percentage of our customers who are suddenly struggling with how to make their vendor management program work. By the time we finish asking them a series of questions, we are glad to know it is not because of our system but rather because their organization hasn't yet embraced the fact that change management techniques are critical success factors for vendor management.

A common scenario is that they began to run into trouble when vendor management got passed off to a successor (an individual or a department) who is left to try and figure out how the program was originally designed to work (i.e., who is supposed to do what) and when the policies either are not clear, or aren't being followed and no one seems to be enforcing them. Another scenario is that they find themselves struggling because vendor management is not overseen by the risk management office and is left to finance, IT or another group who does not have true enterprise authority.

Updating your vendor management program requires good change management which means not only updating your policy but communication, training, accountability, enforcement (especially when contract owners instead of a central VMO group are tasked with completing activities), and executive support. Overlooking these five essential ingredients and not giving vendor management the resources it needs (and the resources the regulators are demanding it have), is setting a course for failure.

Of course, we don't want that to happen! If you find yourself in this situation, come and talk with us. We have a number of process diagrams, policy templates, and some really good advice and counsel from having worked with hundreds of companies that will get you back on track.

Read More

VendorInsider Blog

Insight into Vendor Management Best Practices, Challenges, Solutions and Trends from Industry Insiders

As one of the longest running and most advanced vendor management software solutions, the helpful people of VendorInsight® have a unique perspective on third-party risk, compliance and management.  In the VendorInsider Blog, we share our insights on timely and relevant issues facing vendor managers.  You can subscribe using the button below, or contact us with questions.

Subscribe to Our Blog

Recent Posts

Posts by Topic

see all