Monitoring
A vendor management program without appropriate monitoring is like driving in dark at 90 mph without headlights.
Deliverables, metrics or service agreements, risks and due diligence must be tracked, monitored and updated. Mandatory monitoring should include:
- Business strategy (including acquisitions, divestitures, joint ventures) and reputation (including litigation) that may pose conflicting interests and impact the vendor’s ability to meet contractual obligations and the service-level agreement;
- Compliance with legal and regulatory requirements: Have enforcement actions or material litigation been filed against them?
- Financial condition: What fiscal changes have they experienced and why?
- Insurance coverage: Maintained, updated with appropriate limits and deductibles;
- Key personnel and ability to retain essential knowledge in support of activities;
- Ability to effectively manage risk by identifying and addressing issues before they are cited in audit reports;
- Process for adjusting policies, procedures and controls in response to changing threats, new vulnerabilities, material breaches, or other serious incidents;
- Information technology used and the management of information systems;
- Business continuity plans: Testing and reporting of test;
- Subcontractors: Location of subcontractors, and the ongoing monitoring and control testing of subcontractors;
- Agreements with other entities that may pose a conflict of interest or introduce reputation, operational or other risks to the bank;
- Ability to maintain the confidentiality and integrity of the bank’s information and systems;
- Volume, nature, and trends of consumer complaints, in particular those that indicate compliance or risk-management problems;
- Ability to appropriately address customer complaints;
- Cybersecurity; and
- Contract milestones including notification dates, renewals and terminations.
The monitoring aspect of a vendor management program is the result of the risk assessment, due diligence and contracting with the vendor. However, it is also represents the future of the vendor relationship. The bank’s monitoring activities should be tailored to develop the vendor relationship and provide visibility into the vendor’s operations and activities on numerous levels by adopting a multi-layered approach to monitoring, gathering information from various people or areas of the vendor. This alone provides additional controls and verification on the information provided.
Of course, to achieve an appropriate level of monitoring, the bank has to devote appropriate, experienced resources to monitoring and provide the tools necessary to deliver the expected results.
发表回复