Pub. 10 2021-Issue 2

13 S u mm e r | 2021 F E A T U R E a high risk. Their staff has more access than the average person to your documents and assets. If allowed access to bad actors or shared proprietary information, that could cause a lot of damage. There is a high risk, even though the vendor is insignificant. Here is what it looks like when we put all the pieces together. First, you determine significance by considering: if the vendor were to have a breach, be temporarily unavailable, or be permanently unavailable, would that be a problem for us? If so, they are significant or maybe even critical, depending on your criteria. Then, you can get more specific with those problems to determine what due diligence documents would be valuable to review. Here are a few examples. • If the vendor were to have a breach and that would be a problem, we need to review their SOC Audit Report to confirm they are considered secure by a qualified third party. • If the vendor was temporarily unavailable, thereby creating a problem, we need to see enough of their BCP or SLA to make sure they have plans to keep our service moving. • If the vendor was to go out of business, thereby creating a problem, we need to see their financials to confirm it looks like they will last a while. If these conditions are not problems for us, we do not need to look over, or even gather, the related documentation because it will not tell us anything we need. WE KNOW COMMUNITY BANKS YHB has a team of dedicated professionals who specialize in providing expert services to community banks. They have committed their entire career to helping banks thrive and no one has more experience than your YHB team. We are relentless in our pursuit of providing you the resources and personalized service you deserve. At YHB, we know what it takes to help you succeed because we know community banks. Finally, knowing how significant the vendor is and knowing how stable and prepared they appear to be, based on the data in their due diligence, we can accurately define the transferred risk we are getting into by being in a relationship with the vendor. After earning a B.A. and an M.A. in Mathematics, Leticia joined CoNetrix, where she served as the Tandem Software Support Manager for several years. She built and directed Tandem’s first team of support specialists. Leticia now serves as Chief of Staff, focusing on corporate strategy, employee development, and training. In her free time, she enjoys mentoring college students, teaching phonics, and solving jigsaw puzzles. When talking about risk rating relationships with vendors, we often hear the question, is it inherent risk or residual risk? I believe it is neither. When it comes to your vendors, what you are looking at is transferred risk.

RkJQdWJsaXNoZXIy MTIyNDg2OA==