Regulatory agencies require that senior management ensure periodic independent reviews are conducted on the bank’s Vendor Management Program, particularly when a bank involves third parties in critical activities, such as bank core processing, online banking and mobile banking.
CCG Catalyst’s review includes assessing the adequacy of the bank’s process for:
- Ensuring third-party relationships align with the bank’s business strategy
- Identifying, assessing, managing, and reporting on risks of third-party relationships
- Responding to material breaches, service disruptions, or other material issues
- Identifying and managing risks associated with complex third-party relationships, including foreign-based third parties and subcontractors
- Involving multiple disciplines across the bank as appropriate during each phase of the third-party risk management life cycle
- Ensuring appropriate staffing and expertise to perform due diligence and ongoing monitoring and management of third parties
- Ensuring oversight and accountability for managing third-party relationships (e.g., whether roles and responsibilities are clearly defined and assigned and whether the individuals possess the requisite expertise, resources, and authority)
- Ensuring that conflicts of interest or appearances of conflicts of interest do not exist when selecting or overseeing third parties
- Identifying and managing concentration risks that may arise from relying on a single third party for multiple activities, or from geographic concentration of business due to either direct contracting or subcontracting agreements to the same locations
CCG Catalyst will prepare our report for senior management and the Board of Directors that outlines the results of our review and we will make recommendation to adjust the bank’s Vendor Management process, including policy, reporting, resources, expertise, and controls.
CCG Catalyst will also evaluate the effectiveness of the bank’s Vendor Management Program and make recommendations as to:
- Commencing new or continuing existing third-party relationships
- Bringing activities in-house
- Discontinuing activities
