July 2015 SAFE Newsletter
Going Beyond Compliance with Vendor Management
Managing vendors has been a standard practice in the Financial Services industry due to the highly sensitive data that exists in financial organizations and the growing reliance on third party service providers to support them. Sarbanes Oxley, the Gramm Leach Bliley Act, Dodd Frank and other financial regulations all agree: Third-party service relationships involving key functions of the financial organization and/or its critical data, must be properly managed to ensure that third party access to highly sensitive information is secure, that information is protected once in the hands of the vendor, and that service levels are met.
One approach to vendor management is to contract with third parties in order to address departmental compliance requirements while also gaining some commercial benefit and maintaining acceptable service levels (the compliant approach). A more strategic approach is to select vendors that not only address a compliance requirement, but can be beneficial to other parts of the organization. This strategic approach to vendor management goes "beyond compliance" and really begins to analyze Vendors based upon their overall value vs. risk to the financial organization. A strategic "beyond compliance" approach to vendor management can lead to increased operational efficiencies and enhance the value of third party services. This can lead to greater long term cost savings and potentially collaborative or even joint efforts in developing service and process innovations.
Implementing vendor management at an organizational versus departmental level can lead to cost savings, increased security and a better vendor relationship. Although a formal Vendor Management Office (VMO) is not always the norm in mid-size organizations, it is a good idea to implement the principles of a VMO Framework when defining a vendor management program for your business. Some of the key operational elements of a solid VMO Framework include:
- Governance and Oversight - The financial organization's governance model should address proper oversight and monitoring of the vendor management program.
- Requirements Definition and Risk Assessment – Financial organizations should evaluate the ability of the vendor to meet requirements, assess the risk of doing business with them, utilize spend analysis to maximize buying leverage and perform due diligence on vendor activities.
- Service Provider Selection and Due Diligence Classification of Vendors – This element should classify vendors in accordance with the vendor's importance and value to the business, and assess how resources are assigned to manage vendor relationships accordingly.
- Contracting - All contracts should be centralized and easily available to the appropriate relationship manager resources within your organization. Contracts should contain provisions to ensure vendor has the proper security controls in place and vendor activity can be monitored.
- Monitoring and Reporting Metrics - All service agreements should contain defined qualitative and quantitative metrics to assist your organization in evaluating the vendor's performance.
- Relationship – The financial organization should continue to hone the relationship of those vendors who have top performance and are utilizing a "beyond compliance" approach in an effort to reduce risk, improve performance and/or enhance value. Additionally, termination procedures should be clearly defined.
By utilizing the above basic elements to create a centralized vendor management program that incorporates vendor risk into the evaluation, financial organizations can begin to leverage regulatory compliance and operation optimizations to go "beyond compliance" in vendor management.
Utilizing SIEM to Strategically Manage Vendors