Defining the importance of a vendor is important to any financial institution especially credit unions. Oversight and due diligence must be performed on a regular basis, and certainly much more on critical vendors. What group does that make up? Core processors, statement printing companies, check processors. Anything to do with the day-to-day operations. More broadly, any vendor that directly affects you.
As you might imagine, the due diligence conducted on critical vendors will greatly differ from that of other vendors, such as, landscapers and HVAC companies. The purpose of defining the different levels of vendors is to identify the most important risks and dedicating resources to risk mitigation.
Furthermore, we can define the importance of vendor relationships across various types of risk categories, including:
- Strategic Risk
- Reputation Risk
- Operational Risk
- Transaction Risk
- Credit Risk
- Compliance Risk
- Other Risks (liquidity, interest rate, price, foreign country)
Often a risk will expand beyond a single risk category. For example, a vendor providing service for online banking may have exposure to strategic, reputational, operational, transaction and compliance risk.
Understanding the expectations of NCUA examiners regarding vendor management is critical to the vendor management program. Preemptively addressing a concern or check list item on the NCUA AIRES Exam Questions (click the “Third Party Relationships” Tab) will help gauge the direction of the program and reduce negative attention during the credit union examination.
A successful vendor management program will go beyond checking a box to meet a requirement. It should provide valuable insight and understanding of third-party operations. It will provide tools for analysis and decision making. As with many things, what you put into it is what you will get out of it!