Sharpening Your Vendor Management Tools
Because financial institutions rely heavily on vendors to perform tasks involving confidential information, the FFIEC makes us responsible for governing the vendor process. An effective vendor management program will identify, measure, monitor, control, and escalate the risks associated with vendor relationships. Meanwhile, the tools we use to measure vendor risk are improving. The SAS70 is being replaced with the SSAE-16. Service Organizations Control (SOC) reports are internal control reports on the services provided by a service organization. SOC reports provide valuable information users need to assess & address the risks associated with an outsourced service. In addition, examiners are clarifying what is meant by a Critical Vendor, and the tools we use to manage the vendor due diligence process have improved.