VendorINSIGHT strives to constantly improve our system to give our customers the most up-to-date and advanced technology. With the new PCM Document Request feature we recently introduced, users can request documents directly from any vendor through the PCM Associations screen. Vendors will receive an email with a link allowing them to upload the requested document. This feature makes it easy for users to collect necessary documentation without the hassle of tracking and sending separate emails. VendorINSIGHT takes pride in serving our customers with a streamlined and simplified VRM process and the PCM Request module is just one of the many ways we continue to do so.
VendorINSIGHT is proud to be a supporter of the CBAO and local banks in our community. This is why we are offering a free luncheon held on Best Practices for 4th Party Vendor Management to local banks who attend the CBAO Annual Conference. VendorINSIGHT prepares our customers to handle the current and upcoming changes in the industry. We are proud to offer this event on 4th party vendor management- an issue that is becoming increasingly important. VendorINSIGHT takes the time to listen to our customers and strives to present them with the relevant information they need to succeed.
You asked for it, we made it happen! VendorINSIGHT is very excited to announce that the new User Forum requested at our User Group Meeting is now a feature available as a part of this latest major release. Users are able to ask questions, exchange ideas, and communicate with one another through their VendorINSIGHT program.
Included in this release is Fourth Party Risk Tracking. Assign, track, and add documentation for fourth parties associated with your vendor contracts.
Users of VendorINSIGHT are asked to contact their Program Administrator to enable these and many more features. Not a VendorINSIGHT user but want to learn more about how our risk management software solution is leading the industry? Call today for more information on how VendorINSIGHT may be able to streamline your VRM process while guaranteeing compliance!
If you have not seen the invitation for our annual User Group meeting on May 3rd in Nashville, Tennessee, please let your VendorINSIGHT® Program Administrator know so that we can be sure that you have all the details. Based upon feedback from clients who attended the meeting in Baltimore last year, this meeting was well received and provided an excellent forum for idea sharing among VendorINSIGHT® peer users and the VendorINSIGHT® management staff.
One area within Vendor Risk Management that continues to garner attention from the news media and the Regulators is Cybersecurity practices. From the consulting side of our business, three articles have been published in the last six months with regards to providing insight and guidance on IT Risk Management practices specifically aimed at the non-technical executives, inclusive of recommended Cybersecurity training for directors and how to prepare and respond to a data seizure. These can be found at our CMPG website.
In our upcoming meeting, we currently plan to continue on the theme of Cybersecurity education with a presentation on the background and key tenants of Cyber Insurance policies. Please let VendorINSIGHT® know if this is a topic that rings true in your role as the gatekeepers for Vendor Risk Management. We hope to see you in Nashville!
VendorINSIGHT announced the latest updates to our Vendor Risk Assessment and Vendor Performance Scorecard modules earlier this month. The recent changes enhanced the customer's flexibility to update the templates in the platform as desired. We are very satisfied with the positive feedback we've received about the updated modules.
The Vendor Performance Scorecard (VPS) module's redesign will improve usability, allow for increased customization as requested by our customers and accommodate future data trending. The new VPS-2 design provides all of the functionality of the VPS-1 module and provides better flexibility for customization. The survey builder accommodates an unlimited number of questions and continues to track service levels.
We understand that not all of your vendors, suppliers and third parties demand the same attention. Each provider's risk to the institution constantly varies. With the introduction of Vendor Class, customers can configure multiple risk assessment templates that are dependent on the each vendor's class or risk to the organization making the risk assessment multi-level.
On a final note, VendorINSIGHT would like to thank each and every one of our valued customers. 2015 has been a year for the books. We look forward to continuing to please our customers in the years to come.
Last week on November 10th, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Management booklet, which is part of the FFIEC Information Technology Examination Handbook. Information Technology governance and risk management were the key elements of the update. Cybersecurity as an element of Information Security was introduced as an expansion upon the definitions of Cybersecurity for third-party vendors published in February, as a part of the Appendix J addition to the IT Examination Handbook.
Given the expanded focus upon IT Risk Management, and the added requirement of Cybersecurity awareness, VendorInsight® has responded with changes to our standard Vendor Risk Assessment (VRA) and Information Security Questionnaire (ISQ) templates. These changes include validation or denial of cloud-computing within a vendor’s delivery of products or services and validation as to a detailed understanding of the vendor’s Cybersecurity posture.
The revised VRA template will be available for client review in the "About" section of the "Tools" menu on the Client Access Portal on November 20th. The revised sample ISQ template will also be available to clients who have enabled the Vendor Relationship Profile and Policy Compliance (VRP/PCM) modules. Please contact your Program Administrator if you require assistance with updating your VRA master template or if you would like to receive the updated ISQ template.
July 29, 2015 – VRM Pro™ is VendorINSIGHT®’s solution to your vendor management problems. VendorINSIGHT® is the industry leader with extensive consulting and outsourcing expertise in vendor management since 1998. With VRM Pro™ our team will become your vendor management department.
We classify your vendors, rate their criticality, perform due diligence and keep all your documentation up to date. All that you have to do is simply review the results of our analysis and determine whether to accept the risk of the vendor relationship or to mitigate risk through additional controls.
Contact a VendorINSIGHT® representative to learn more about how VRM Pro™ provides Return on Investment benefits and can save your organization time.
April 15, 2015 – VendorINSIGHT® announced today the release of VendorINTEL™, a turnkey vendor management solution for institutions under $1 Billion in assets. VendorINTEL™, powered by VendorINSIGHT®, allows you to monitor your risks and manage vendor relationships while meeting regulatory requirements at a cost friendly price!
The VendorINTEL™ set-up process is easy, allowing potential customers to register an account with a 30-day unconditional, money back guarantee if not 100% satisfied. You can find additional information about the newest VendorINSIGHT® vendor management solution on the VendorINTEL™ website.
Coming on the heels of the business resiliency guidance of third party service providers released in February, the FFIEC issued a press release last Tuesday detailing their focus for the remainder of 2015 on Cybersecurity. This is in addition to the discussion of Cybersecurity Resiliency within the just released Appendix J to the IT Examination Handbook series. The pilot cybersecurity assessment completed in 2014 by the FFIEC with 500 institutions has led them to detail multiple efforts to help the industry self-assess and prepare for cybersecurity threats.
We see three key issues coming from this press release:
1. A cybersecurity self-assessment tool is being finalized to allow FIs to evaluate their own cybersecurity posture. We would predict that once this tool is released, this will become an important future exam element, and will likely need to be integrated into all measures of operational risk measurement, including services received from third party providers, and risk rated within solutions such as VendorINSIGHT®.
2. The press release notes that they are not yet done with guidance as it relates to third parties. Specifically the FFIEC will “expand their focus on technology service providers’ cybersecurity preparedness.” As was addressed with the updates to our software solutions in February on Business Resilience, we would expect continuing updates to our VendorINSIGHT® and BCP-Insight™ solutions to keep pace with best practices and guidance.
3. IT Governance expectations will increase. Per the press release, the FFIEC “will enhance their incident analysis, crisis management, training, and policy development” which likely means this expansion and coordination at the regulatory level will end up in the policy and procedure guidance for deployment within your organizations, and overseen by management and the board.
We applaud the FFIEC for getting this critical element of security and risk to the forefront and leading the key partnering between the public and private sector. We are not surprised, as we had provided earlier commentary in our blog entry in June of 2014. Stay tuned into Channel VendorINSIGHT and we'll keep you abreast of how our systems will continue to evolve to meet these new requirements as they are announced.
The FFIEC recently expanded its guidance by adding an amendment to its Business Continuity Planning handbook. Introducing the concept of "Business Resiliency," there are a number of NEW testing and vendor review requirements that pertain to third parties and outsourced technology service providers that must be included in vendor management programs, risk assessments and vendor profiles.
We anticipated this with the integration of our BCP system to VendorInsight® in January of this year and have already updated VendorInsight® to comply and meet 100% of this new guidance. Many of our customers are using the integrated features of our BCP-Insight™ system and reaping the benefits of this integration.
We expect more updated guidance and prescribed compliance from The Federal Reserve, OCC, FDIC and CFPB later this year and will keep you updated. Stay tuned here.
With release 6.8.0 we've fully integrated our BCP-INSIGHT™ and VendorINSIGHT® systems into a single Enterprise Risk Management (ERM) suite. Look for more important enterprise risk features and services to be introduced in 2015.
With total database integration and crossover matrix user credentialing, now our customers can define roles and workflow that transcends the traditional departmental boundaries to see risks, vulnerabilities and remediation statuses across vendors, departments, and business processes. This is a significant advancement for our solution and a leading capability among industry solutions.
CMPG's patent-pending BCP solution brings the user-friendliness, rapid implementation, and reliability of VendorINSIGHT® to the BCP/DR arena as our competitors continue to struggle to keep up with our rapidly advancing lead in the industry!
In 2014, we grew more than 20% and we expanded our presence with large and medium sized financial institutions as well as with smaller ones and in other industries. We've been swamped and working hard these past few record-setting months! We also successfully introduced four major releases with fantastic workflow features and helpful reporting along with new content management features.
There seems to be a division emerging in the industry right now. At one end of the scale, there are super-large enterprises and Fortune 100 companies looking for large-scale enterprise platforms to manage enterprise risk and vendor/supplier risk all together. We call these the ERM solutions. At the other end of the scale - typically banks below $50B in assets and Fortune 500 to 1000ish companies - customers are looking for sophisticated and complete vendor management systems, without the complexity, cost and enterprise headaches.
This makes sense, on the surface it would seem that an all-in enterprise risk system could save some money but the ERM players were late to the game with vendor management and are still a ways from catching up. There simply aren't the features, workflow, tools and monitoring services in their systems and there might never be because vendor risk management is only one small part of the overall enterprise equation. The reality is that the dedicated vendor management solutions do a much better job, and a much more productive job of helping customers manage a complex process like vendor management that is already sophisticated, crosses multiple organizational boundaries and requires advanced tools and reporting and workflow. In other words, they're useable and more oriented toward the things vendor management and third party risk management groups need to do.
For the vast majority of the industry, an ERM solution is far too expensive, it saps IT resources and infrastructure, and the learning curve makes it extremely difficult to achieve simplified processes with the productivity needed without hiring additional personnel. So far, the market tells us we're on the right track with our advanced software that can easily be put to effective use by both small and large companies, providing scalability, and our exceptional customer service model that consistently achieves the highest ratings!
We've had several customers convert from other solutions to come over to VendorINSIGHT® and to this day we've still never lost a single customer to a competing solution except in the event of an acquisition by a large company who used a different vendor management system! That is something we're proud of....taking care of and helping our customers the way they need us to.
If you aren't already a VendorINSIGHT® customer we hope you'll become one soon so we can help you and take care of you, too!
We opine so often on vendor management, contract management, process design, regulatory guidance and other topics of interest to our community that it is nice to take a break and stop and simply say: "Thank You and Happy Holidays."
This time of year, we are busy wrapping up a lot of proposals for new customers anticipating a budget for a new vendor management system and for existing customers as they head into 2015 with new and expanded budgets hoping to implement new modules and features. These are like presents! As they unwrap them and begin to see how beneficial our Service Team and our VendorINSIGHT® software can be working together, they smile and are more optimistic about the future.
From the entire VendorINSIGHT® team, we wish all of you and your families a warm and wonderful holiday season.
Not all of your vendors, suppliers and third parties demand the same attention. And the differentiation extends well before you ever do a risk assessment. As we've worked with customers that range from Fortune 500 companies to mid-market companies, we've developed a groundbreaking approach to segmenting vendors and their workflow. If you are interested in learning how enterprise data integration, centralized vendor record keeping and vendor metadata can work together to give you control over your entire vendor list and payees, check out a demo of VendorINSIGHT® and see it in action.
Once again, VendorINSIGHT® is leading the industry in business process workflow and integration to ensure that the ROI on your vendor management system is high. We're excited about Release 6.7 and the control and data centralization it gives our customers. Even our smallest customers are benefitting from this important new feature.
This just in. Pretty interesting stuff. In this latest article posted on Bank Info Security, commentary about a new OCC report suggests that OCC warns of infrastructure risks in banking and notes that fraud as a result of cybersecurity risk isn't necessarily the top priority. Rather, deeper intrusions into banking networks and the payments infrastructure "demand that risk mitigation become a priority." The reports goes on to say bankers should ensure that risk management of third-party relationships (aka vendor management) is commensurate with the breadth, complexity and criticality of these arrangements. Reference is also made to the 2013-29 OCC bulletin issued last fall.
What made us really sit up and notice was the following. Aviah Littan, ex-head of NSA, put it bluntly, saying that regulators are going to have to get heavy handed in order to ensure community banks understand the risks and act appropriately. These comments come as more than 500 community banks (up to $10 Billion in assets) are slated to be examined under the FFIEC's new Cybersecurity Risk Assessment program. There's a whole new wave of regulation being formulated around cybersecurity and network vulnerability and it we expect it will most definitely impact your third party and vendor risk management program with new requirements. Stay tuned into Channel VendorINSIGHT and we'll keep you abreast of how our system will continue to evolve to meet these new requirements.
A while back, we published a couple of white papers that described the various ways in which VendorINSIGHT® generates a return on investment, or ROI, for customers. We recently updated these numbers based on the current environment and discovered VendorINSIGHT® is generating an ROI of more than 800%! There aren't many investments like that these days. It's nice to know that we can improve the financial performance of our customers by helping them deal with regulatory and risk issues in a more efficient, productive, and automated manner. With VendorINSIGHT®, a lot of our unique monitoring solutions that our competitors don't offer - like our news service and our social media and customer complaint monitoring - create even more value on top of the core vendor management system (VMS).
We did. That's an amazing number and it underscores the importance of vendor monitoring. Without knowing what is going on with your vendors - their financial health, whether they are under regulatory sanctions, or if they have had a data breach - you have no idea how risky they are to do business with. Sure, you may have reviewed their information security controls or assessed their financial strength when you started doing business with them...but things change every day. Financial stability deteriorates, data breaches happen and control audits reveal weaknesses and risks. That's why vendor monitoring is important. Every day we monitor the news and market-based risk for more than 650 industry vendors and issue risk alerts to our customers through the VendorINSIGHT® system. It's just one of the many things that sets VendorINSIGHT® apart.
We see a lot of companies overthink their vendor management program. Inevitably, they end up tangled in a complicated process design. By its very nature, vendor management is a simple process.
Topics: Vendor management
The Heartbleed OpenSSL bug fiasco reminds us at VendorINSIGHT why we adhere to best practices when it comes to software development and our web-based software for vendor and contract management. Many customers are wondering whether the recently discovered "Heartbleed" OpenSSL security vulnerability affects VendorINSIGHT. VendorINSIGHT IS NOT impacted.
OpenSSL is an SSL software library used by many web servers to manage SSL encrypted communication to web sites. These web servers are primarily Unix and Linux based web servers, primarily Apache servers. VendorINSIGHT runs on Microsoft Internet Information Server (IIS) which does not use Open SSL. IIS comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.
Strategic planning isn't just for business. It can also be used as an effective tool to guide the development of your vendor management program. Asking key questions will reveal insights, force you to face realities and help ensure that you anticipate changes that will occur in the future. Some of these questions might be: "What are the biggest threats and risks my vendor management and third party risk management process face?" or "What resource allocations and succession plans need to be in place to ensure delivery for the future?" or "Do I expect competition to emerge for the risk management services I currently provide for my company?" or "Where do I expect technology to converge to bring me improved productivity in meeting regulatory requirements?"
If you are thinking that vendor management and third party risk management is complicated enough that you have your hands full just keeping up with today's requirements and that strategic planning would be a luxury, you are not alone. VendorINSIGHT, through our office of Client Development, has developed a worksheet that walks customers through the questions they need to ask. This worksheet paints a picture of the complexity, challenges, resources, and trends they will face in the future. It also delivers insights from our industry interactions, customer experiences, and assessment of what the regulators are saying. Completing this exercise can help you communicate to your management team where and when they should expect you to ask for more resources, make additional investments in systems and technology, and how you will develop the existing resources you have so you can be as effective and as efficient as possible.