Skip to main content
Promotion: Promotional Banner Image

CUNA is now America’s Credit Unions.
A stronger voice to advance the credit union industry.

Learn More

8 Elements to Have in Your Credit Union’s Vendor Risk Management Program 

By Venminder
May 2022

Credit unions often need to rely on vendors for a variety of business operations. This business strategy requires a process of identifying key vendors while also understanding and managing the associated risk that comes from these partnerships. This is where vendor management, or third-party risk management, comes into play. Vendor risk management isn’t a new concept, but the increase in regulatory expectations have highlighted the need for a comprehensive practice to manage third-party risk.

Regardless of whether you’re managing a basic vendor like a landscaper or a high-tech organization like a cloud storage provider, there are certain elements that must be included within your vendor risk management program.

8 Main Elements for Vendor Risk Management

The National Credit Union Association (NCUA) sets the standards on how to manage third-party relationships, which can be found in regulations such as Supervisory Letters No. 07-01, 01-CU-20 and 21-CU-16. These regulations cover a wide range of issues such as risk assessments, due diligence and monitoring activities.

To protect your credit union and its members from vendor risk, it’s essential to implement an effective vendor risk management program. At a minimum, your program should contain the following 8 main elements:

  1. Board and/or senior management oversight – Vendor risk management activities should be guided and approved by the board and/or senior management through official governing documents such as a policy and program document.
  2. Scoping – It’s important to understand the scope of what does and doesn’t need to go through third-party risk management activities. In other words, establish clear guidelines of what a vendor is to your credit union and what they provide in terms of products or services.
  3. Risk assessments – A vendor’s inherent risk and criticality must be assessed to understand the full amount of risk that will be exposed to your institution. Inherent risk is based solely on the relationship without any precautions or controls in place. Criticality refers to the impact a vendor may have on your institution if it fails to perform.
  4. Due diligence – Collecting and reviewing vendor due diligence documents (i.e., liability insurance, business continuity plans, list of fourth parties, etc.) is an important process that validates the good standing of the vendor. This process also includes the identification or implementation of necessary controls that reduce the inherent risk to an appropriate level. Due diligence should always be risk based and repeated throughout the relationship, such as during contract renewals or changing regulations.
  5. Contract management – Selecting a vendor and managing the contract requires careful planning and consideration to ensure that both parties are completely understanding of each other’s roles and responsibilities. Negotiations, approvals and renewal dates should all be included in the overall contract management strategy.
  6. Ongoing monitoring – Many institutions overlook this critical element of third-party risk management. Vendor risk and performance can change throughout the relationship, so it’s important to maintain a practice of ongoing monitoring activities like periodic risk assessments and service level agreement (SLA) tracking.
  7. Reporting – Keep the board and senior management informed of critical vendor activities by providing consistent and accurate reporting. Keep in mind that the goal of reporting is to inform stakeholders and drive action.
  8. Exit strategy – A vendor engagement may need to end for any number of reasons. Whether it’s related to performance issues, or your needs have simply changed, it’s important to establish an exit strategy well in advance to ensure the termination process is smooth.

These eight main elements may seem obvious to many third-party risk professionals, but they’re often overlooked by many leaders throughout an institution. With a strong program in place, your credit union will be better protected against a variety of third-party risks.

About Venminder

Zogo helps credit unions educate, engage and attract young people. Backed by behavioral science research at Duke University, its gamified financial literacy app teaches sound financial fundamentals and rewards users for learning. Their mission is to make personal finance fun, simple, and social. Founded by Gen Zers, Zogo understands what it takes to reach the younger generation.

Learn more about Zogo