Vendor Management Worksheet
This worksheet is provided to make the initial assessment of any and all vendors to be used by
Bank. If a vendor has access or potential access to customer information then an NDA or
contract language approved by legal or compliance should be included and addressed prior to
inception/purchase. If a SAS 70 will be required, the SAS 70 must be a part of the contract
language indicating it will be provided at least annually. No contract should exceed 3 (three)
years in length without an EVP or above and legal documented approval. Long Term contracts
can pose unnecessary risks for the Bank.
***Please read the heading requirements before each section, not al sections may be required***
GENERAL (complete this section for ALL vendors):
Name of Vendor:
Target Objective of the Vendor:
Licensing Required by the Bank: No Yes N/A. If yes how many
Cost per license:
Systems to be accessed by the Vendor (electronically or physically):
LEGAL (complete this section for ALL vendors):
Contract is for software purchase only- no services rendered: No Yes N/A
Contract Outlines the Scope of Service? No Yes N/A
Contract requires arbitration or mediation in case of a dispute? No Yes N/A
The contract governing law should be YOUR STATE. The Legal Department must approve the
contract prior to consummation. State of governing law (if different than YOUR STATE):
Vendor is publicly traded? No Yes. If yes, the symbol is:
SAS 70 is required? No Yes N/A
Error and Omissions Insurance is equal to: or N/A.
Unless otherwise exempted from the time frame limitations by policy or Board of Directors approval. In
which case, it should be documented within the VM file.
PRIVACY (complete this section if confidential information is involved):
Vendor will have potential access to customer information? No Yes
Vendor will have remote access to customer information? No Yes N/A
Vendor will or will not leave the Bank’s local or Firewall with customer information (this includes leaving with electronic information)?
Vendor will be able to access customer files: During Review Only Anytime During Business Hours Weekly Monthly Annually Upon Bank Submission Only.
Vendor outlines additional potential expenditures (aside from items beyond the control of the vendor)? No Yes N/A
Vendor will use our internet connections? No Yes N/A
Vendor contract states all use of jump drives/thumb drives will be on a minimum of a 128 byte encryption drive before any customer information is loaded and will advise the bank in advance of the use of any jump drive or thumb drive: No Yes N/A
If no to the above, will the vendor use such devices? No Yes N/A
If yes, for what purposes and the vendor must attest in writing that the drive is encrypted to at least 128 byte encryption prior to saving any customer information on the device:
Vendor will use wireless connections to work on or transfer Bank confidential information: No Yes N/A
Vendor will provide a SAS 70 report at least annually to the Bank (no later than March 31 of each year) if required by law or Bank policy. No Yes N/A
Vendor has a Business Continuity (aka Disaster Recovery Plan) in place: No Yes N/A. BCP plan was last audited: date Never Audited Information not provided
Vendor agrees to provide Business Continuity or Business Resumption plan upon request: No Yes N/A
Vendor has signed an NDA (Non-Disclosure Agreement) with the bank or the language within the contract meets the Bank’s standards and/or regulatory standards for protection of customer information. No Yes N/A
If no to the above, indicate the reason:
This section should not be skipped – either name a reference and/or cross reference one.
environment is more intense today than it ever has been. Simply
relying on the reputation of your vendor or the contract you have
in place with it is little security these days.
In my search for the keys to effectively managing third-party relationships, I continued to run into the concept of “due diligence.”
I then sought to find an appropriate definition of this concept
in the context of managing vendor relationships. The following
definition was the best I found: “Due diligence is a reasonable
inquiry into a vendor’s ability to operationally meet the bank’s
requirements for the proposed service and an inquiry into the
vendor’s financial ability to deliver on its promise.” In other
words, can the vendor do the job the bank is hiring it for and is
it financially sound? Ah, more details. The financial soundness
of your vendor is an important factor, too.
A negative response to either of these questions should lead
the bank to make another selection. Determining the answers to
these questions, however, requires quite a bit of work. There are
at least 14 questions that should be answered before you come
to any conclusions:
■ ■ Is the function to be performed an area of specialty for the
■ ■ How long has the vendor been engaged in this area of specialty?
■ ■ What is the reputation of this vendor?
■ ■ How competent is the vendor’s staff?
■ ■ How stable is the staff?
■ ■ Will the vendor have to outsource any part of the function?
■ ■ Does the vendor conduct regular audits or internal control
■ ■ Are the vendor’s financials strong?
■ ■ Are there any outstanding lawsuits or regulatory actions against
■ ■ Does the vendor have appropriate security controls in place?
■ ■ Does the vendor have a business continuity plan in place?
■ ■ Is the vendor committed to following applicable laws, regulations, and bank policies and procedures?
■ ■ Is the vendor open to occasional on-site visits?
■ ■ How committed is the vendor to providing outstanding service?
While this list is not exhaustive, it is a good beginning. In
answering these questions it is important to remember that the
lack of a satisfactory answer to any one question may not be
determinative. However, a less-than-positive response should
be considered in the overall assessment of risk the vendor may
present to the bank.
The next logical question: How much diligence is due? The
simple answer: It depends. The riskier the activity being outsourced, the more critical the need for a thorough review of the
vendor before and after hiring it. In the case of ABC Collections
Agency, the fact that the work it is being hired for has significant