« Back to Category

5 Keys to an Effective Vendor Management Program

By Randy Coneby, Principal, IT Audit

From specialized projects to ongoing maintenance, financial institutions work with vendors to improve aspects of their operations and deliver products and services to customers. In doing so, these third parties gain access to secure systems and sensitive information, which can expose the financial institution and its customers to risk.

As risk from third party access comes under increasing scrutiny from regulators, leaders of financial institutions must evaluate new vendors thoroughly and continue to monitor them throughout the term of service. A robust vendor management program is critical to building a proactive approach to risk management that can give financial institutions a competitive advantage. Below, we outline the key components needed to build an effective and comprehensive vendor management program.

Board and Senior Management Responsibilities

While ultimate responsibility for vendor relationships falls onto the board of directors, it is important to construct the proper infrastructure at the senior management or department level for day-to-day relationship management and status reporting. If multiple individuals are responsible for different parts of the process (i.e., contract negotiation, business continuity planning), make sure these roles are clearly defined and supported. Once vendor management responsibilities and reporting structure are established, it is important to formalize them as part of the financial institution’s official policies and procedures.

Risk Assessment

Vendors face the same risks as any other company doing business in the modern digital age. That’s why it is most important to assess the risk profile of any third-party service provider before signing an agreement. For some of those vendors being relied upon the most, a similar assessment should continue throughout the contract term. Financial institutions should determine the exposure of vendors across all types of risk – strategic, compliance, reputational and security. A vendor risk and responsibility matrix allows a wide range of risk factors to be evaluated in one comprehensive document.

In addition to assessing risk factors, financial institutions should also rank vendors according to their criticality. Most people would determine criticality by the amount of exposure to sensitive information, but it should be derived instead from the criticality of the function they provide. In other words, what would the impact be on the bank or its customers if this vendor disappeared tomorrow? Financial institutions are also required to conduct annual performance reviews of critical vendors, so this criticality ranking helps determine which vendors require annual review and which can be reviewed less frequently.

Vendor Selection

Due diligence is a traditional part of the vendor selection process, but financial institutions should make the most of this phase and strive to learn as much as possible about potential vendors, particularly as it relates to risk factors. Dig deeper into financial reports and scrutinize their corporate, financial, legal and regulatory history. Ask references probing questions to get a sense of reliability, transaction volume, track record and industry experience. Site visits provide additional value to the due diligence process, as do examinations of any subcontractors a vendor will be using.


The Federal Financial Institutions Examination Council (FFIEC), the governing body responsible for oversight of key federal regulators of financial institutions, outlines common provisions that should be reflected in all vendor contracts. Financial institutions should incorporate them into all contracts, since examiners will be looking at these aspects during audits or regulatory reviews. The common provisions include:

  • Scope of service
  • Rights and responsibilities
  • Security and confidentiality
  • Internal controls
  • Audit and regulatory compliance
  • Subcontracting and performance standards

Another important regulatory aspect to keep in mind is the notification required by the Bank Service Company Act, under which financial institutions must notify federal regulators of any vendor relationship within 30 days of entering into the contract or the service(s) being performed, whichever comes first.


As mentioned earlier, ranking vendors by criticality also informs the frequency of review required by federal regulators. Additionally, it helps in terms of ongoing monitoring that is a critical piece of any vendor management program. Vendors with a higher criticality level will require more frequent scrutiny than those on the lower end of the risk spectrum.

Monitoring brings vendor management programs full circle, with the individuals responsible for certain vendors or functional areas bringing board members or senior management up to speed with regular and robust reporting. This reporting should also include any audits of vendors (SSAE16 SOC reports) – be sure to review these closely and work with vendors to implement corrective actions as needed.

Armed with a robust vendor management program, board members and senior management can fulfill their regulatory requirements and trust the process to identify the best vendor for the institution and its customers. Financial institutions with questions about implementing a vendor management program or strengthening an existing model should contact RKL Risk Management .