My web

Vendor Selection

Vendor selection is an important part of an organization’s operations and generally begins with conducting a thorough analysis of business requirements, scope, level of need, timeline, budget, and benefit analysis. Vendors are generally selected based on predetermined factors which can include ability, reputation, financial health, cost, scope of service, and location.

CSF: 6.6.1.1 Vendor Selection Process

Due diligence should be performed prior to selecting a vendor, to assess qualitative and quantitative aspects of potential vendors and to determine if a relationship will achieve the strategic and financial goals and mitigate identified risks. Comprehensive due diligence involves a review of all relevant information about a potential vendor, focusing on the entity’s financial condition, costs of service, specific relevant experience, knowledge of applicable laws, regulations, and Fannie Mae requirements, its business continuity and disaster recovery plans, technology capabilities, reputation, and the scope and effectiveness of its operations and controls.

Once a vendor is selected, a contract should be negotiated and established which defines basic service agreements (service level agreements, operating level agreements, and other contractual relationships) and each party’s roles and responsibilities. In addition, appropriate actions and remedies should be established within the contract to ensure timely action to address and resolve any vendor performance failures.

 

Vendor Management: Vendor Selection: Vendor Selection Process

Assessment Area Evidence

  • Vendor selection policies and procedures
  • Sample vendor Service Level Agreements (SLA)
  • Due diligence checklist for vendor selection

Evaluations and Recommendations

Documented policies and procedures must be in place to ensure consistency for vendor selection across the organization. These procedures should include the following provisions.

  • Vendors to have adequate business continuity, disaster recovery, and cyber security plans in place.
  • All vendors to have the ability to meet servicer and Fannie Mae requirements relative to the work being performed.
  • Use of other parties or subcontractors by the vendor.
  • Adequacy of management information systems.
  • Well-established processes are in place for performing due diligence on potential and current vendor qualifications, expertise, cost of service, capacity, reputation, complaints, information security, document custody practices, financial viability, staffing levels, performance, and work quality.
  • If applicable, additional controls are in place when a third- party vendor is located offshore.
  • SLAs in place which clearly define performance measures, turnaround times, expectations, escalations and use of third party or subcontractors.