Continuity, Risk, and Compliance Solutions

Vendor ManagementSoftware Buyer’s Guide1. Why implement Vendor Management?2. Steps to Successful Vendor Management3. Questions to ask Vendor Management Software Vendors4. Important Components of Vendor Management Software5. Key Feature Comparison Checklist

Continuity, Risk, and Compliance Solutions

Why implement Vendor Management?With increased outsourcing of critical business functions it is more critical than ever to assess the risks posed by outside vendors and manage the ongoing relationship. In fact, regulators and auditors are focusing more and more on how vendors and contracts are managed and maintained by institutions. While vendor management is a “must-do” to satisfy financial industry regulatory requirements, it can also serve as a strategic initiative that can create a better run institution. Vendor Management can also be used as a way to improve efficiency, financial management, and profitability by reducing expenses and minimizing risk.

Steps to successful Vendor Management• Inventory and Classification: Identify all vendor relationships that exist in the organization. Review each relationship and

analyze the criticality of each vendor.• Due Diligence: Due diligence requires investigation into a vendor’s ability to meet the requirements of the proposed

service and an inquiry into the vendor’s financial ability to deliver on its promise. On-going due diligence for existing vendors considers the following areas: financial, information security, business continuity, human resources, legal, compliance, operational performance, and reputation. Wherever possible independent validation of vendor compliance should be collected and reviewed (i.e.: SAS70/SSAE16, financials, BC/DR plans, insurance certificates, IS audit, etc…)

• Risk Analysis: Risk analysis takes account the importance of the function to the organization, and analyze how much risk the vendor has mitigated through their own internal efforts. Mitigate or accept the risk of continuing to do business with high risk vendors.

• Contract Management: A strong contract with a significant vendor is essential to properly managing the relationship. Even relationships with vendors that provide low-risk services should be documented in simple contracts.

• Ongoing Supervision and Monitoring of Vendors: Monitoring and supervision should include ongoing review of the vendor’s financial condition, policies, internal controls, and ability to meet its obligations.

Critical Questions to ask Vendor Management Software Vendors• What percentage of your customers renew your software/service? This is an indicator of how happy a vendor’s customers

are with the software solution and the value users see in the software. • Are there any hidden fees or costs (e.g. Storage, support, training, or other required software licenses like

Oracle or Crystal)? These hidden costs can significantly increase the price tag and adding additional vendors adds complexity to the program.

• How does data import/export from the software? Make sure your data is still usable and accessible to your organization outside of the software solution.

• What is the format of the reports that are generated from the system? Ensure the reports you receive are compatible with other software tools you use and the processes you have in place.

• Can you provide an example report for us to review? Is the data of the report applicable to your organization? Does it comply with industry regulations or standards?

• Have your customers been through an exam/audit? If so, what are the results? Be wary if a vendor’s plans or customers have never been through an audit or exam. This is critical to ensure the vendor’s output is trustworthy, usable, and accepted in the industry.

• How does your software integrate with your other software modules? Many vendors claim their modules integrate, however they are often fragmented and don’t share data across the platform.

• Is the software flexible/customizable? Finding software that will fit your organization can sometimes be difficult and changing the organization to fit the software overwhelming. Software that provides the ability to customize can significantly reduce the implementation process.

• Do you provide any services that can help us implement the Vendor Management process? Many organizations don’t have the resources to initiate a complete vendor management program. Make sure the organization provides services that can help you do this.

• Are your processes and tools guaranteed to satisfy regulatory requirements? Not all vendors guarantee compliance. Ensure that in the event of an audit your organization will pass without incident.

Continuity, Risk, and Compliance Solutions

Important Components of Vendor Management SoftwareThere are many contract management and vendor management software programs available from ad-hoc software tools like Word Documents and Microsoft SharePoint to robust fully integrated solutions provided by dedicated software vendors. However, few are designed to meet specific regulatory requirements. Institutions should carefully research their options and look for vendor management software that enables them to document, manage, and report on every part of its vendor relationships. A full featured vendor management solution needs to include:

• Contract storage abilities to organize and maintain a complete database of all contracts • Ability to scan and save all contracts and contract documents for each vendor• Ability to create and save all required risk management documents to track key contract information • Organize and generate management reports for review and compliance examinations• Instant access to key vendor information • E-mail alerts to key staff of important contract dates

Digital File Library

Easy to upload digital files through multiple methods

Customizable Report Templates

At-a-Glance Customizable Dashboards

Web Based

Includes Vendor Classification Questions

Includes Vendor Due Diligence Questions

Includes Vendor Risk Assessment

Stores digital files online

Comprehensive Reporting

• Import/Export

• Initial Data Conversion/ Importing at no additional cost

• User group security

Unlimited user logins

Unlimited training

Unlimited support

Auditor and examiner access to system

Automatic notifications

Auto Back-up – keeps your work safe and secure

Audit History Log

Optional Deployment/ Implementation Services

Complete integration with other key risk management solutions:

• Business Continuity

• Information Security

• Enterprise Risk Management

FDIC/OCC/NCUA/ State DFI Compliance Guarantee

Key Feature Comparison ChecklistContinuity, Risk, and Compliance Solutions Vendor B Vendor C

Continuity, Risk, and Compliance Solutions

About QuantivateFounded in 2005 and headquartered in Woodinville, WA, Quantivate is a leading provider of web-based Continuity, Risk and Compliance software and service solutions. The company has grown to become a leading provider of software that organizations use to manage their continuity, risk, security and compliance needs. Customers include local, national, and international organizations in a diverse number of industries including: State & Local Government, Community and Commercial Banking, Credit Unions, Manufacturing, On-Line Retail, Energy & Utilities, Non-Profits, Healthcare, and Technology.

Quantivate, LLC PO Box 1504 Woodinville, WA 98072

www.quantivate.comSales@quantivate.com 1-800-969-4107