Due Diligence and Ongoing Monitoring

Hello Everyone,

I'm curious to know how you classify your vendors that provide cash services to bank/credit union branches and ATMs. such as Brinks, Diebold and Loomis.

They don't have member or customer information, but do provide a vital service so we have cash available for members or customers.

Do you consider them significant or non-essential vendors? Am wondering how often you perform a Risk Assessment on them and how deep you dive.

Appreciate any information. 

Sincerely,

Cheryl Turner
Farmers Insurance Federal Credit Union

Hi Cheryl,

It's not uncommon for an organization to have questions about how to risk rate and manage specific vendor types, especially at first glance, where the risks may not be obvious.

For all vendors,  the best way to understand their risk profile is to complete an inherent risk assessment. A standardized inherent risk assessment will help you objectively identify all the types and amounts of product and service risks in the engagement.  

In the case of your cash services vendors, they likely rate as high risk as they have physical access to your facilities (and equipment). Also, they provide a service requiring high-security awareness and training to prevent robberies and theft, and they almost always carry firearms. So, background checks, training, etc., are also paramount.

Now should you classify them as significant or non-essential? I will take a leap here and translate significant or non-essential into the more commonly used terminology of Critical or Non-Critical.

Critical vendors would significantly impact your credit union, or its members, should they fail or have an extended unplanned outage. Typically, a critical vendor can be identified by asking these three questions.

1. Would a sudden loss of this third party cause a significant disruption to our business?
2. Would the sudden loss impact our members?
3. If the service is disrupted, would there be a negative impact on our operations if restoring service took more than 24 hours?

If the answer to ANY of these questions is "YES," it's a critical vendor. ( or, in your case, a significant vendor)

So I brought up both the inherent risk rating and criticality because both pieces of information should guide your risk re-assessment cadence and due diligence rigor.

In the case of cash management, there is High risk, and because your members would be impacted if they can't get cash, they might also be considered Critical. In either instance, at a minimum, high-risk and critical vendors should undergo a risk assessment and full due diligence every year.

I hope that is helpful, but I would love to hear what other members think.

Original Message:
Sent: 12/13/2022 12:36:00 PM
From: Hilary Jewhurst
Subject: RE: Classification for cash services vendors

Hi Cheryl,

It's not uncommon for an organization to have questions about how to risk rate and manage specific vendor types, especially at first glance, where the risks may not be obvious.

For all vendors,  the best way to understand their risk profile is to complete an inherent risk assessment. A standardized inherent risk assessment will help you objectively identify all the types and amounts of product and service risks in the engagement.  

In the case of your cash services vendors, they likely rate as high risk as they have physical access to your facilities (and equipment). Also, they provide a service requiring high-security awareness and training to prevent robberies and theft, and they almost always carry firearms. So, background checks, training, etc., are also paramount.

Now should you classify them as significant or non-essential? I will take a leap here and translate significant or non-essential into the more commonly used terminology of Critical or Non-Critical.

Critical vendors would significantly impact your credit union, or its members, should they fail or have an extended unplanned outage. Typically, a critical vendor can be identified by asking these three questions.

1. Would a sudden loss of this third party cause a significant disruption to our business?
2. Would the sudden loss impact our members?
3. If the service is disrupted, would there be a negative impact on our operations if restoring service took more than 24 hours?

If the answer to ANY of these questions is "YES," it's a critical vendor. ( or, in your case, a significant vendor)

So I brought up both the inherent risk rating and criticality because both pieces of information should guide your risk re-assessment cadence and due diligence rigor.

In the case of cash management, there is High risk, and because your members would be impacted if they can't get cash, they might also be considered Critical. In either instance, at a minimum, high-risk and critical vendors should undergo a risk assessment and full due diligence every year.

I hope that is helpful, but I would love to hear what other members think.