IT Examiner School, Providence, RI

For Your Consideration

• Examiners cannot recommend any one vendor or service provider.

• Examiners cannot advocate any particular software application, network administration tool, or similar resource.

• Examiners cannot provide management with a list of possible options.

• It is the financial institution’s responsibility to assess, vet, and determine which is the appropriate solution for their needs.

Question: Should a financial institution use a vendor because the parent company uses that vendor?

Vendor Risk Management Process

• The vendor risk management process typically incorporates the following activities:

– Risk assessments and requirements definition – Due diligence in selecting a service provider – Contract provisions and considerations – Incentive compensation review – Ongoing oversight and monitoring of service providers – Business continuity and contingency plans.