Vendor Risk Assessment

In the US, Federal Financial Institutions Examination Council’s (FFIEC) guidelines recommend a financial institution develop a Vendor Risk Assessment document as a part of a bank’s or credit union’s risk management process. CCG Catalyst process is not intended to be replace the Bank’ or Credit Union’s  current Vendor Risk Assessment, but as a supplement for management to consider the risks in choosing a major technology vendor that might be new to the market.

A vendor risk assessment identifies the risks that exist when using a vendor’s product or service. Performing a risk assessment is critical when the vendor will be handling a core business function, will have access to customer data, or will be interacting with your customers.

Vendor risk assessments are not only critical when bringing on a new vendor but are also needed to ensure that the vendor is maintaining expected quality standards without causing any risks to the bank or your customers.

The goals of a risk review are to:

  • Identify any risks the vendor will pose
  • Product / Service Gaps and the related risk mitigation
  • Evaluate if the vendor can eliminate those risks
  • Monitor the risks that cannot be eliminated
  • Assess the extent that any outstanding risks may bring to the bank
  • Determine if your bank or credit union is willing to accept those risks