Residual Risk Explained

Having a well maintained vendor management program will allow you to build relationships with your vendors, while also strengthening your business. Understanding your vendors’ residual risk is a key piece of your vendor management program and it will let you know the amount of risk or danger associated with a vendor’s action after controls are accounted for.

To understand Residual Risk we need to first understand Inherent Risk.  Inherent Risk is typically defined as the amount of risk that the vendor has in the absences of controls.  Any time a financial institution uses a third party to provide a service or product, the financial institution needs to complete a risk assessment so they can understand the criticality of the risk that vendor will have.  Inherent risk is established only after the vendor’s key objectives have been defined, and steps have been taken to identify what could go wrong to prevent the vendor from achieving those objectives.  In addition to impact and likelihood, management must consider the nature of the risk also.

Once the Inherent Risk of the vendor is established and the financial institution recognizes the criticality of the risk, then the financial institution must realize what controls the vendor has in place to help mitigate or reduce the risk that the vendor has.  Once the controls have been assessed they should also be tested to ensure that they are operating efficiently.  Testing the controls provides confidence that they actually reduce risk to a tolerable level.

Finally, we are able to take a look at residual risk.  Residual risk is the amount of risk associated with each vendor remaining after inherent risks have been reduced by controls that the vendor has in place.  When controls are weak, not in place, or not functioning properly then residual risk will be high.  If vendor residual risk is high then a corrective action plan needs to be put in place on how the vendor is going to strengthen those controls or management should seek out other vendors who can provide the product or service to the financial institution.

Strunk at the ABA’s Virtual Risk Management Conference 2021

We’re getting the hang of these virtual events at Strunk!  Strunk attended the ABA’s annual Risk Management conference last week. During the virtual event we hosted a virtual booth, met with many familiar and new faces via Zoom meetings and attended virtual sessions. We enjoyed the opportunity to connect with bankers across the country.

We welcomed the opportunity to discuss with attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software Risk Manager, which includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and Vendor Manager.

A state of the industry was provided by Dr. Catherine Mann, currently the Global Chief Economist for Citibank. The session included an update on the economy, focusing on pandemic recovery in all key sectors. She also shared thoughts on key economic risks for financial markets and how this impacts risk mitigation efforts. The session also included a keynote address by Rob Nichols, President and CEO of the American Bankers Association.

Attendees had the opportunity to discuss post-pandemic risk management, among many other topics. Bankers were encouraged to reassess and modify risk management frameworks as a result of the pandemic, especially reviewing and adjusting risk appetites and associated metrics.

Congratulations to the winner of Strunk’s giveaway, a $100 gift card to Amazon – Linda Schnitzler of The Canandaigua National Bank and Trust Company!

We hope to see you all in person next year. Until then, stay well.

Do you properly evaluate vendor risk?

Understanding vendor risk is an extremely important part of your vendor management program.  Each vendor that provides a product or service to you may have some inherit risk that your organization may take on.  Knowing the inherit risk for each of your vendors before you go into contract with them will provide insight into whether or not the vendor handles any critical business function, have access to sensitive customer data or if they interact with customers.

Risk assessments will not eliminate the risk associated with the vendor, but the risk assessment can help minimize the impact on your business.  Once the vendor’s risk has been identified then you can decide if those risk can be eliminated by knowing what controls that vendor has in place.  The vendor’s controls should be reviewed to make sure they are effective and also monitored.

A successful vendor risk assessment can assist with:

  • Rating each vendor according to risk
  • Assessing each vendor relationship at the service or product level.
  • Determine which vendors need to complete vendor surveys to determine what controls they have in place for their risk.
  • Determine the due diligence requirements and the frequency.

Even though risk assessments are a prevented step in the vendor management process, organizations should always perform periodic vendor risk assessments to ensure its vendors are keeping up with its quality standards and not introduction risks to the company, its customers, and investors.

Strunk at the ABA’s Virtual Conference for Community Bankers 2021

For the first time, Strunk attended the ABA’s annual Conference for Community Bankers virtually. During the virtual event we hosted a virtual booth, met with many familiar and new faces via Zoom meetings and attended virtual sessions. While a bit different than being together, it remains one of the most anticipated events of the year and we made the most of the connections with bankers and enjoyed seeing everyone.

We welcomed the opportunity to discuss with attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software Risk Manager, which includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and Vendor Manager. Strunk’s Overdraft Program is always a hot topic of conversation and we were glad to discuss our approach with long-time clients and potential clients.

Attendees had the opportunity to hear from keynote speaker, former NBA star Earvin ‘Magic’ Johnson in his session ‘The Power of Magic’. On top of his athletic notoriety, Magic is a driven and successful entrepreneur who shared what it takes to truly make an impact.

Another interesting session was hosted by Ron Shevlin of Cornerstone Advisors on the five forces shaping the banking industry today. He detailed how challenger banks, big tech, embedded finance, artificial intelligence, and cryptocurrency are affecting our banks and provided areas of focus for community FIs.

Congratulations to the winner of Strunk’s giveaway, a $100 gift card to Amazon – Mayra Rinaldi of Columbia Bank!

We hope to see you all in person next year and to once again host the conference t-shirt station. Until then, stay well.

5 Things you should do to build an Effective Vendor Management Structure

Managing your vendor manager program can be troubling and time consuming. With the increase numbers of vendors that companies are depending on each year, companies need to make sure they are monitoring vendors and contracts more efficiency to help prevent problems before they start.

1. Identify your vendors and understand what services that they are providing you.
Creating a list of your existing vendors and understanding the nature of their service is key in your vendor manager structure. Being able to have access to your vendors list and their information will lead to both effectiveness and efficiency inside of your organization. Effective vendor management entails a detailed grouping of vendors based on criticality and service.

2. Contract Review
Storing your vendor contract in a central location will provide insights into the current stage of the vendor, for example, vendors with contract in place, vendors that require renewals, etc.. Having a centralized view of the current status of all contracts will help achieve better decision-making capabilities and save valuable time. Understanding and scoring what provisions should be in the contract will help provide the correct terms of the contract between you and the vendor.

3. Risk Assessment
Completing a risk assessment on your vendors to better understand the risks posed by its third-party relationship is critical to each vendor relationship. Identify any risks that the vendor poses with help your company evaluate whether the vendor can eliminate those risks or determine whether your company can accept those outstanding risks for that vendor.

4. Vendor Reviews
Not all vendors may perform as per your standards. It is important to choose the right vendor from multiple vendors, who meet your organizational standards and criteria while promising excellent performance. Performing periodic vendor reviews will give you a better understanding of the vendor’s performance and make sure they are providing quality product or service to your company.

5. Document Storage
As your company grows, it becomes essential to have a vendor data storage solution in place. In the absence of a vendor management system, storing and retrieving data might prove to be really tough, considering the fact that you may be dealing with multiple vendors for multiple projects at the same time. Having a centralized repository for your vendors data will help streamline and organize your vendor manager program.

Who Handles your Vendor Management?

Managing the vendors your financial institution does business with is important but it can be time consuming and a stressful project. Some institutions have decided to let third parties manage the risk assessment and vendor due diligence process rather than do it on their own. Strunk’s Vendor Manager solution makes it easy to do risk assessments, manage contracts and other vendor documents and to obtain necessary annual information to ensure risks associated with vendors you do business with is managed appropriately.

Our program provides: 1) A repository of information on each vendor you do business with and 2) The ability to do consistent risk assessments for each vendor. Maintaining a list of key vendor relationships, contracts, insurance certificates, security policies, and other documentation is critical to vendor management. The tickler system notifies the individual assigned to the vendor when contracts come up for renewal or when other documents are due.

Vendor risk assessments can be a hassle and our solution takes a standard approach to ensure the process is consistent and thorough based on the risk (critical, high, moderate or low) per regulatory guidelines. For critical and high risk vendors additional information is obtained from those vendors to complete the risk assessment.

Vendor Management is imperative at all financial institutions and Strunk’s Vendor Manager Solution may be just what you are looking for. Take back the process from outside vendors or make internal vendor due diligence easy and consistent to manage.

Managing your Vendor’s Service Level Agreements

Vendor Manager automates vendor due diligence, provides a practical framework for deciding which vendors to assess in depth, assesses the risks they present, and monitors their performance.

Defining and managing Service Level Agreements (SLAs) with your vendors is a very important aspect of your Vendor Manger program.  An SLA defines the level of service expected by you from a vendor, laying out the metrics by which that service is measured, and the remedies or penalties, if any, should the agreed-on service levels not be achieved.  Monitoring SLA takes place after the contractual agreement to meet the client expectations is executed. Having a central location to clearly identify, define and review your SLA is critical to your Vendor Manager program.

Being able to create reports to understand where potential problem areas with your vendor’s service that they are providing is key to a quality vendor manger program.  Strunk’s Vendor Manager software has the capabilities to help you manage your vendor’s SLAs and it provides a central repository to track your vendor’s performance to make sure they are meeting your business needs.

Use Strunk’s Vendor Manager to automate a cumbersome process into a well-organized, self-documenting work flow. In addition to tracking the performance against key SLAs, use Vendor Manager to maintain your list of key vendors and associated contracts, to assess the inherent risk presented by each vendor and to complete the annual review of each relationship.

How do you Store Essential Vendor Documents

In today’s environment it is crucial to understand how you are managing your vendor documents.  It is important to know when a vendor needs to send you data or if you are missing documents and also where the documents are located.  Having a centralized repository for your vendor documents will help you become more efficient, organized and increase organizational transparency.

Having the documents that belong to your vendors in one location opens the door for better communication and collaboration.  Linking all of your vendor documents to a central repository that features automatic notifications and reminders helps you achieve better collaborations in your organization.  An important factor in achieving a fast and efficient process is ensuring that everyone has access to the most accurate and up-to-date versions of your vendor document.  Using a software that can eliminate the need for physical filling and cluttered storage will help you become more organized and will eliminate human errors.  Storing your documents in a software will provide your organization the ability to retrieve the vendor documents as quickly as possible.

Searching for misfiled documents can be very frustrating and time consuming.  Using a software as your centralized repository for your vendor documents can reduce the time spent dealing with lost or misfiled documents, thus enhancing productivity and efficiency while allowing team members to perform tasks where their time is better spent.

When all of your vendor documents are in the same place, you have better visibility into that vendor.  Most software offers varying levels of accessibility based on role.  Different team members can have certain rights, permissions and levels of access that may be restricted to others.  Having this in your vendor document repository software allows an audit trail and the ability to track updates with little effort.

Strunk Solution Fall 2020 Features

With Strunk’s most recent release, clients can now utilize new features in Risk Assessor, Policy Manager, Controls Manager, Vendor Manager, Skills Manager and ODP Manager. We’ve been busy!

Risk Assessor now provides the ability to pull multiple bank UBPR Data into one single risk assessment. This will simplify assessments for multi-bank holding companies.

Criteria based auto assignment for reader and editor groups is now available in Policy Manager. Users are able to assign specific documents based on physical location or job title, where assignment of a set of policies and procedures could dynamically change based on these rules. We have also adjusted the way the policy acknowledgement is assigned. Admin users have the ability to request that users read a policy at a configurable number of days in the event that a policy is updated throughout the year, rather than just every 365 days. Users will be notified of necessary policies to review via email.

Controls Manager now supports notification of the group owner rather than simply the control owner. Alerts will be triggered any time a significant change or update is made to a control.

Clients will be excited to see the improvements to Vendor Manager reporting. Users can sort by a customized list of vendor types, vendor risk level and renewal year within all summary reports. Reports will also include whether or not the vendor survey has been completed and if not, what the current status is.

Skills Manager exams have historically been comprised of multiple choice or true false questions. We now support the option to have an open ended comment for specified questions.

Lastly, ODP Manager provides the ability to mark old status codes as inactive or deleted so they no longer show on reports, such as the Status Tracking Report.

If you would like more information on any of Strunk’s new features or products, please contact us at 800.728.3116 or

Ensure Contract Completeness with Strunk’s Contract Review

Having a well written contract with your vendor is a critical aspect in your vendor manager life cycle.  The contract is important as it sets forth the terms and conditions of the relationship with the vendor.  Vendor contracts are legal agreements that clearly set forth the provisions and conditions of the work or services that the vendor provides.  Because the contract is the foundation for the relationship with the vendor, a complete contract review should be done before the agreement is signed.

Strunk has created a Contract Review feature in our Vendor Manager solution to help ensure your contract does not have any gaps and that each provision is understood with clear expectations.  Contract Review will assist in clearly identifying what each party’s role is and who is responsible for each area.  This will prevent any issue between the financial institution and the vendor.  Regulations require that contracts contain key provisions such as confidentiality, service level agreements, and mutual rights and responsibilities.  A thorough review of your vendor contract should be done both prior to signing a new contract and while reviewing existing contracts for renewals.  Strunk’s Vendor Contract Review will help clients address significant risk controls and regulatory compliance within each of their vendors activities.