Q: What factors determine a high, moderate or low-risk vendor?
A: When determining risk factors to decide on a vendor's inherent risk, there are many factors that must be considered. While a lender's risk appetite will play a part in determining the risk assigned, vendors should not all fall into the same risk tier. Vendors that are not critical to a lender's operations do not need to undergo the same due diligence process compared to a vendor that plays an important role in the day-to-day operations.
Typically, characteristics that should be examined include:
It is important to note that your vendor management oversight program should clearly define the criteria for high, medium, or low-risk vendors with documentation to justify your risk rating approach.
- Whether the vendor is customer facing,
- If the vendor has access to consumer NPI (non-public personal information),
- The work performed by the vendor,
- Regulatory/operational impact if the vendor does not perform the function assigned, and
- Monitoring/performance of the vendor.