Vendor Risk Assessment
In the US, Federal Financial Institutions Examination Council’s (FFIEC) guidelines recommend a financial institution develop a Vendor Risk Assessment document as a part of a bank’s or credit union’s risk management process. CCG Catalyst process is not intended to be replace the Bank’ or Credit Union’s current Vendor Risk Assessment, but as a supplement for management to consider the risks in choosing a major technology vendor that might be new to the market.
A vendor risk assessment identifies the risks that exist when using a vendor’s product or service. Performing a risk assessment is critical when the vendor will be handling a core business function, will have access to customer data, or will be interacting with your customers.
Vendor risk assessments are not only critical when bringing on a new vendor but are also needed to ensure that the vendor is maintaining expected quality standards without causing any risks to the bank or your customers.
The goals of a risk review are to:
- Identify any risks the vendor will pose
- Product / Service Gaps and the related risk mitigation
- Evaluate if the vendor can eliminate those risks
- Monitor the risks that cannot be eliminated
- Assess the extent that any outstanding risks may bring to the bank
- Determine if your bank or credit union is willing to accept those risks