Home About Us Contact Us Site Map

IT Policy

IT Policy

CBC Vendor Management Policy and Risk Assessments

What are the requirements?

FFIEC guidelines call for banks to perform risk assessments on major vendors that will store or have access to customer and or bank confidential information or whose services have a signifcant impact on the normal operation of the bank. The guidelines are specific as to what steps are required for these risk assessments and what facets of the vendor should be evaluated. FFIEC also requires that a risk assessment is performed on the contract with vendor. Your bank is also required to annually review the relationship with the vendor.

What does it mean for your bank?

If done the traditional way many banks do it, it means that your bank is burdened with a long, resource consuming process. Most banks will try to review the vendors SAS70 and financials looking for risks to assess. The problem with this is that many community banks do not have the expertise necessary to assess risk on vendors information security programs and systems even if they have the SAS70. Banks have to show evidence of the process and report it to the board. The contract review is just as difficult. The summation of it is that your bank will work hard to be compliant and most likely not benefit from the process.

How can CBC make it easier?

Communiy Banc Consulting of Ohio, Inc. has streamlined the vendor management and risk assessment process for community banks through years of experience with banks and various examining bodies. We have developed a system of documents that potential vendors must complete and attest to their validity. The worksheets make it very simple to assess risk on the different categories of information security required by the FFIEC guidelines. The Vendor Management Policy and Risk Assessment includes worksheets that simplify the contract review process. Our process puts the burden on the vendor to provide you the very specific information your community bank needs to properly assess risk and comply with the regulations.

Summary of features:

  • Professional policy and guidance
  • Formal vendor document requests
  • Thorough yet simple risk assessment worksheets
  • Detailed contract review and risk assessment
  • A valuable built in chain of evidence to show your bank's due diligence

Can CBC perform my vendor management and vendor risk assessments?

Yes, we can. One of the FFIEC requirements is that the person performing the risk assessment has the required, proven knowledge to make the judgements on the risk. If your community bank does not have the technical and compliance capabilites in house, CBC can perform the process for you.

If you would like more information about CBC's Vendor Management Policy and Risk Assessment or any of our policies, please contact:

Paul Elder 614-848-3189 ext 121 or email Paul
Larry Krietemeyer 614-848-3189 ext 143 or email Larry

Home About Us Contact Us Browser Requirements Site Map Privacy Policy Terms of Use Copyright