Financial institutions (FIs) frequently rely on vendors to enhance their current infrastructure, processes, and technology solutions. Vendors enable these institutions to achieve their strategic business objectives with new products and services, thereby achieving operational excellence, by increasing revenue and reducing costs. However, the outsourcing of core functions and increased use of data brings forth the need to better manage vendor risk across areas, such as cybersecurity, privacy, and information and protection laws. 

This paper explores enhancing a financial institution’s vendor risk management (VRM) framework by incorporating data risk to drive effective data governance and management. We identify four principles utilizable to actively reduce data risk. Lastly, in this paper, the terms “vendor(s)” and “thirdparty(ies)” are used interchangeably to cover a broad interpretation of a contract or a business arrangement. It covers any relationship that an FI may enter with another entity or individual for the purposes of obtaining products or services.