Not in our opinion. We are in Chris Buses’ camp when it comes to this issue. It is true that 5-7 years ago information security dominated the risk concerns when it came to outsourced and third party relationships, but with the FFIEC examination handbook updated in March 2008 the emphasis broadened to include many other dimensions of risk. Ultimately, that laid the groundwork for where we are today. Information security is just one small part of the vendor, or third party, risk management equation. And vendor risk management must be successfully integrated into an enterprise’s ERM program. Certainly, vendor management is a big enough, and complex enough process, that when done correctly, crosses a lot of organization boundaries and it requires its own system and dedicated resources to run efficiently and achieve good compliance. But vendor management also has to be integrated into a good ERM framework, which is why we built VendorINSIGHT® the way we did. In banking, for example, the successful CRO has broad-ranging risk management skills that span the two primary business elements – lending and deposits – as well as other affiliate services (insurance, etc.) and often brings a big-audit perspective that is essential to maintaining integrity in the ERM framework. The CRO often has a risk orientation focused on narrative and good documentation about business risks and trends and residual risks, as much as information security. We see information security as a specialty within the risk management department led by the CRO. Perhaps in a very small community bank this role can be assumed by one individual but we wouldn’t recommend it in a bank that is $1 B in assets or greater.
What happens if you suddenly lose your point of contact (POC) at a vendor? A POC is an individual or a specific department who acts