Who Handles your Vendor Management?

Managing the vendors your financial institution does business with is important but it can be time consuming and a stressful project. Some institutions have decided to let third parties manage the risk assessment and vendor due diligence process rather than do it on their own. Strunk’s Vendor Manager solution makes it easy to do risk assessments, manage contracts and other vendor documents and to obtain necessary annual information to ensure risks associated with vendors you do business with is managed appropriately.

Our program provides: 1) A repository of information on each vendor you do business with and 2) The ability to do consistent risk assessments for each vendor. Maintaining a list of key vendor relationships, contracts, insurance certificates, security policies, and other documentation is critical to vendor management. The tickler system notifies the individual assigned to the vendor when contracts come up for renewal or when other documents are due.

Vendor risk assessments can be a hassle and our solution takes a standard approach to ensure the process is consistent and thorough based on the risk (critical, high, moderate or low) per regulatory guidelines. For critical and high risk vendors additional information is obtained from those vendors to complete the risk assessment.

Vendor Management is imperative at all financial institutions and Strunk’s Vendor Manager Solution may be just what you are looking for. Take back the process from outside vendors or make internal vendor due diligence easy and consistent to manage.

Managing your Vendor’s Service Level Agreements

Vendor Manager automates vendor due diligence, provides a practical framework for deciding which vendors to assess in depth, assesses the risks they present, and monitors their performance.

Defining and managing Service Level Agreements (SLAs) with your vendors is a very important aspect of your Vendor Manger program.  An SLA defines the level of service expected by you from a vendor, laying out the metrics by which that service is measured, and the remedies or penalties, if any, should the agreed-on service levels not be achieved.  Monitoring SLA takes place after the contractual agreement to meet the client expectations is executed. Having a central location to clearly identify, define and review your SLA is critical to your Vendor Manager program.

Being able to create reports to understand where potential problem areas with your vendor’s service that they are providing is key to a quality vendor manger program.  Strunk’s Vendor Manager software has the capabilities to help you manage your vendor’s SLAs and it provides a central repository to track your vendor’s performance to make sure they are meeting your business needs.

Use Strunk’s Vendor Manager to automate a cumbersome process into a well-organized, self-documenting work flow. In addition to tracking the performance against key SLAs, use Vendor Manager to maintain your list of key vendors and associated contracts, to assess the inherent risk presented by each vendor and to complete the annual review of each relationship.

How do you Store Essential Vendor Documents

In today’s environment it is crucial to understand how you are managing your vendor documents.  It is important to know when a vendor needs to send you data or if you are missing documents and also where the documents are located.  Having a centralized repository for your vendor documents will help you become more efficient, organized and increase organizational transparency.

Having the documents that belong to your vendors in one location opens the door for better communication and collaboration.  Linking all of your vendor documents to a central repository that features automatic notifications and reminders helps you achieve better collaborations in your organization.  An important factor in achieving a fast and efficient process is ensuring that everyone has access to the most accurate and up-to-date versions of your vendor document.  Using a software that can eliminate the need for physical filling and cluttered storage will help you become more organized and will eliminate human errors.  Storing your documents in a software will provide your organization the ability to retrieve the vendor documents as quickly as possible.

Searching for misfiled documents can be very frustrating and time consuming.  Using a software as your centralized repository for your vendor documents can reduce the time spent dealing with lost or misfiled documents, thus enhancing productivity and efficiency while allowing team members to perform tasks where their time is better spent.

When all of your vendor documents are in the same place, you have better visibility into that vendor.  Most software offers varying levels of accessibility based on role.  Different team members can have certain rights, permissions and levels of access that may be restricted to others.  Having this in your vendor document repository software allows an audit trail and the ability to track updates with little effort.

Strunk Solution Fall 2020 Features

With Strunk’s most recent release, clients can now utilize new features in Risk Assessor, Policy Manager, Controls Manager, Vendor Manager, Skills Manager and ODP Manager. We’ve been busy!

Risk Assessor now provides the ability to pull multiple bank UBPR Data into one single risk assessment. This will simplify assessments for multi-bank holding companies.

Criteria based auto assignment for reader and editor groups is now available in Policy Manager. Users are able to assign specific documents based on physical location or job title, where assignment of a set of policies and procedures could dynamically change based on these rules. We have also adjusted the way the policy acknowledgement is assigned. Admin users have the ability to request that users read a policy at a configurable number of days in the event that a policy is updated throughout the year, rather than just every 365 days. Users will be notified of necessary policies to review via email.

Controls Manager now supports notification of the group owner rather than simply the control owner. Alerts will be triggered any time a significant change or update is made to a control.

Clients will be excited to see the improvements to Vendor Manager reporting. Users can sort by a customized list of vendor types, vendor risk level and renewal year within all summary reports. Reports will also include whether or not the vendor survey has been completed and if not, what the current status is.

Skills Manager exams have historically been comprised of multiple choice or true false questions. We now support the option to have an open ended comment for specified questions.

Lastly, ODP Manager provides the ability to mark old status codes as inactive or deleted so they no longer show on reports, such as the Status Tracking Report.

If you would like more information on any of Strunk’s new features or products, please contact us at 800.728.3116 or support@strunklp.com.

Ensure Contract Completeness with Strunk’s Contract Review

Having a well written contract with your vendor is a critical aspect in your vendor manager life cycle.  The contract is important as it sets forth the terms and conditions of the relationship with the vendor.  Vendor contracts are legal agreements that clearly set forth the provisions and conditions of the work or services that the vendor provides.  Because the contract is the foundation for the relationship with the vendor, a complete contract review should be done before the agreement is signed.

Strunk has created a Contract Review feature in our Vendor Manager solution to help ensure your contract does not have any gaps and that each provision is understood with clear expectations.  Contract Review will assist in clearly identifying what each party’s role is and who is responsible for each area.  This will prevent any issue between the financial institution and the vendor.  Regulations require that contracts contain key provisions such as confidentiality, service level agreements, and mutual rights and responsibilities.  A thorough review of your vendor contract should be done both prior to signing a new contract and while reviewing existing contracts for renewals.  Strunk’s Vendor Contract Review will help clients address significant risk controls and regulatory compliance within each of their vendors activities.

Are your User Accounts up-to-date?

Part of effectively using Strunk’s cloud-based Governance, Risk Management and Compliance software is regularly reviewing, maintaining, and updating your user records and access. Our software provides your administrators with tools to make this process easier, rather than updating user records one by one. However, admins always have the option to view and change an individual user’s record and access rights.

A list of all users can be exported as a PDF for reporting purposes. In addition to the basic user information, it also includes each user’s roles and last login. To simplify adding new users and deactivating former employees, an automatic User file import can be set up. Once configured, a file containing all current users will be uploaded and processed on a scheduled basis. This allows you to add and deactivate users in a timely manner.

For other maintenance of existing users, admins can export the current user list to an Excel file. Any necessary updates can be made directly in the file and an admin will import the updated file to make the appropriate changes in the software.

Please contact Strunk Support at support@strunkaccess.com with any questions or for training on these helpful features. It is easier than ever before to keep your information up to date.

No better time to implement a Cloud-Based GRC Solution

Over recent weeks, the ongoing spread of the COVID-19 coronavirus has forced companies around the country to make difficult decisions about how to protect their employees — as well as their communities as a whole.  In an effort to halt the spread of the virus, many organizations are instituting mandatory work-from-home (WFH) policies, engaging with new cloud service providers, and shifting resources toward supporting an expanding remote workforce.  The fast-moving, global reach of the coronavirus has illustrated that a forward-looking approach to risk management is more important than ever. Having a cloud-based tool that streamlines your compliance process should be in all companies’ future strategic discussions.

Strunk offers many great automated cloud-based solutions tools that streamlines compliance and risk management for our clients.  There are many benefits to these cloud-based solutions, especially in today’s environment where some many employees are working from home.  Our software is simple to implement, easy to access, very flexible and is reliable in terms of backing up data for your employees who are at different locations.  Implementing Strunk’s Risk Assessor, Policy Manager, Issue Manager and Vendor Manager software does not require extra hardware or software.  Implementing these tools can be done while business continues as usual which requires no downtime at all.  Strunk has created a new Version 2 of our Risk Assessor which is available to everyone.  Risk Assessor helps our clients complete risk assessments consistent with appropriate regulatory or standards body frameworks in days, instead of weeks.  Clients are able to upgrade for free from Version 1 to Version 2 and Strunk will help transfer results from your current Version 1 assessments.

Given the current coronavirus pandemic, the need for companies to centralize their policies and vendor management is more critical than ever.  Strunk’s Policy Manager software will organize hundreds of policy documents spread across different computer and file systems into a single editable database. With employees working remote, Policy Manager gives employee access to the companies polices for easy access and with the established review dates the system will remind employees to review the policy and make changes.  Centralizing your vendor manager process with Strunk’s Vendor Manager software will automate the process which reduces administrative burden and save time while giving employees who are working remote access to vendor due diligence, providing a practical framework for deciding which vendors to assess in depth, assessing the risks each vendor present, and the monitoring of each vendor performance.

Also, Strunk is offering additional free web training for our client’s employees.  There is no better time than now to get employees who are new or have changed job responsibilities trained on any of Strunk’s GRC software.

The Importance of Moving away from Spreadsheets for Vendor Management

Over the past several years, regulators have targeted vendor management as one of their top regulatory concerns. With growing dependence on third parties for services,  the need for effective vendor management programs has increased. While regulatory framework for vendor management has been in place for years, the detailed expectations and efficiency have been missing. Most organizations have adopted a vendor management process using spreadsheets – which lacks consistency, efficiency, clarity, effectiveness and oversight.

A software solution will help you move beyond spreadsheets and onto a centralized system that will streamline your process and clarify the procedure for everyone involved. Having an automated system will help you manage your vendors more efficiently. Examiners are looking for programs that have automated contract management and due diligence alerts when documents are nearing expirations and also comprehensive assessments, such as risk and controls assessments. An automated system will manage these processes more effectively and efficiently by creating a consistent workflow that a spreadsheet can’t produce. Additionally, a software solution is a more effective way to manage your vendors because it will reduce likeliness of user errors that spreadsheets can cause by keying mistakes or employees not using the correct spreadsheet because there could be multiple copies that are being saved.

With increasing regulations and demands concerning governance and compliance, companies can no longer risk using spreadsheets to manage third-party vendor polices and procedures. By using a centralized vendor management software system, organizations can simplify and standardize their process, effectively managing vendor risk and relationships, and ultimately saving time and money throughout the entire company.

Technology Service Provider Contracts

Understanding the increase dependence that financial institutions have on technology service providers, bank regulators have increased their efforts to require banks to appropriately handle third-party risk management.  The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance.  These contracts were missing or inadequately addressed key terms, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lack standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response. Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology related services can create special risks to depository institutions that need to be properly addressed in their service contracts.  The FDIC indicated that it plans to hold the board and senior management of financial institutions accountable for controlling those risks in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract.  All financial institutions should have provisions that they review for all of their contracts with a robust vendor management program, this will help uncover any weakness in business continuity and data recovery early in the process.


You Can Outsource, But You Cannot Hide

Companies may outsource an activity, but cannot outsource accountability.

In today’s economic environment, almost every aspect of a company’s operations can be outsourced efficiently. As a result companies interact with vendors on a daily basis, opening themself up to additional risk. Vendor Risk is a type of Operational Risk associated with the potential risk that may occur from relying upon outside parties to perform services or activities on an organization’s behalf. When a company outsources a need to a vendor, it is still the responsibility of the company to ensure that the vendor operates in compliance with established policies, procedures and regulator expectations.

For financial institutions in particular, this has been a clear message from all banking regulatory agencies to their members. Regulatory agencies have identified instances in which financial service institutions have:

  • Failed to properly assess and understand the risks and the direct and indirect costs involved in vendor relationships.
  • Failed to perform adequate due diligence and ongoing monitoring of vendor relationships.
  • Entered into contracts without assessing the adequacy of a vendor’s risk management practices.
  • Entered into contracts that incentivize a vendor to take risks that are detrimental to the financial institution or its customers, in order to maximize the vendor’s revenues.
  • Engaged in informal vendor relationship without contracts in place.

All companies, and especially financial services institutions, must establish an effective vendor management program to protect their business, clients and employees. Having an effective vendor management program enables institutions to control costs, drive service excellence, mitigate risks, and gain increased value over the life cycle of the vendor relationships. Selection, contract structuring and ongoing monitoring of third party service providers are the consistent theme from the regulatory agencies and other risk experts.