I am the only one primarily over vendor management for my credit union (though I have a backup if necessary), it is not my only role either - I am in compliance so I have other duties. Our VM policy itself is very short, but our procedures are where the content is. I rewrote them (with assistance from the rest of the compliance dept - two others) a few months ago, along with implementing a new process for reviewing and onboarding vendors.
I built a risk assessment within Venminder and it has made risk rating everyone SO much easier. I have to touch all 230+ vendors this year as many of them were way behind in being reviewed, so I understand the daunting part! You are welcome to e-mail me if you want specifics (I could talk a LOT about all that I am doing now), but my overall process for ongoing management is as follows:
- Set an oversight task in Venminder for every vendor's Contract Review. I line it up with the contract notice date plus an additional two months to obtain documentation.
- Our process is not fully automated, so I do have a Word document for vendors to fill out. I ask how the vendor accesses our network, what data is received, if NPI is shared, etc and also confirm if we are renewing the relationship. I email this to the vendor owner and ask for due diligence docs as well.
- Due diligence docs are based on risk rating. For new vendors, we use Venminder's onboarding and base documentation on the preliminary risk rating (I modified the initial questions in Venminder).
- Once I get my documentation and questionnaire from the vendor owner, I upload it (and clean up old docs in Venminder if necessary), update the contract status, perform my risk assessment and create a note (on the vendor's dashboard page) in Venminder stating Contract review and RA complete, and if any documents are missing (not sent by vendor owner) I note that.
We don't internally audit our VM program either, but hopefully my info helps. I felt lost in this process when I moved to this department last year, but a peer at another institution walked me through her process and it helped me immensely. I am happy to help since I know there's not a ton of info on banking vendor management out there. Please let me know if I can assist in any other way!
Original Message:
Sent: 03-11-2020 12:56 PM
From: Anonymous Member
Subject: Policy/Audit creation
This message was posted by a user wishing to remain anonymous
I have been tasked with updating our Vendor management program. In searching everything we have, out policy needs a complete rewrite, all vendors need risk assessments as well as obtaining documentation from the vendors. We also do not have an internal audit for the policy. I am the only member of the "vendor management team" for our facility and vendor management is only a part of what I do. Does anyone else have an audit that I could take a look at to assist in creating my own? Or any tips on how to manage the Vendor management program as efficiently as possible?
Thank you.