Case Study · Banking & Financial Services
$10B Credit Union
How a VP of Third-Party Risk Management strengthened enterprise vendor governance with Fortrex VendManage®.
The Challenge
As Vice President of Third-Party Risk Management at a $10B credit union, this risk leader was responsible for governing a large, complex ecosystem of third-party vendors supporting core banking, digital channels, cloud infrastructure, fintech partnerships, and critical operational services.
As the organization scaled, third-party risk expectations increased, both internally and from regulators. While policies existed, execution across business units was inconsistent and resource-intensive.
“At our size, third-party risk management has to operate like an enterprise control function. Regulators, the board, and executive leadership all expect complete visibility and defensibility.”
Key challenges included:
- Thousands of third parties across multiple lines of business
- Inconsistent risk tiering and due diligence execution
- Vendor documentation and contracts dispersed across teams
- Limited real-time visibility into critical and high-risk vendors
- Manual tracking that slowed onboarding and renewals
- Increasing regulatory focus on governance, cybersecurity, and operational resilience
The VP needed a solution that would standardize execution, improve visibility, and scale without increasing internal headcount.
The Solution
The credit union partnered with Fortrex to implement VendManage®, Fortrex's fully managed Third-Party Risk Management service.
VendManage® provided an end-to-end operational framework for third-party risk, covering vendor inventory, risk classification, due diligence, contract oversight, and ongoing monitoring, while aligning directly with regulatory expectations.
“We needed more than a platform. We needed experienced practitioners who could run the program day-to-day and stand behind it during exams.”
As part of the engagement, Fortrex designed and operationalized a risk-based vendor tiering and assessment model using Fortrex VendSure®, integrated into the VendorPoint® platform. Fortrex worked as an extension of the credit union's TPRM team, delivering:
- Centralized vendor inventory with consistent classification
- Vendor tiering into Critical, Material, and Minimal categories
- Risk-based due diligence aligned to NCUA, FFIEC, and regulatory guidance
- Vendor risk assessments tailored to business case, data types handled, and product context
- Contract and renewal oversight to prevent unmanaged risk exposure
- Clear ownership, workflows, and documentation standards
- Consistent execution across all lines of business
- Exam-ready evidence and reporting
The service was tailored to the credit union's governance model, allowing leadership to maintain oversight while Fortrex executed the operational workload.
The Results
Clear, defensible vendor tiering
Fortrex helped the credit union appropriately tier vendors as Critical, Material, or Minimal, based on business impact and risk exposure. This ensured oversight efforts were proportional and regulator-ready.
Risk-based assessments, not one-size-fits-all
Using Fortrex VendSure®, integrated into the VendorPoint® platform, vendor risk assessments were performed based on each vendor's specific business case, the type of data handled, and the product or service context. This eliminated generic assessments and improved accuracy and defensibility.
Enterprise-wide visibility into third-party risk
All vendor risk information, including tiering decisions, assessments, and supporting documentation, is centralized and consistently maintained, providing leadership with a clear view of critical and high-risk vendors.
Stronger regulatory outcomes
During regulatory exams, the credit union demonstrated a mature, risk-based TPRM program with clear evidence that vendor tiering, assessment depth, and ongoing monitoring aligned with regulatory expectations.
Reduced operational burden
Fortrex assumed day-to-day execution of vendor tiering, risk assessments, and ongoing monitoring, allowing internal teams to focus on governance and strategic risk decisions.
Improved consistency and defensibility
Standardized yet flexible processes ensured assessments were completed consistently while still accounting for differences in vendor function, data sensitivity, and operational reliance.
Improved executive and board reporting
Leadership received concise reporting showing vendor population by tier, assessment status, and risk exposure, enabling informed decision-making and stronger governance.
Scalable foundation for growth
As the credit union continues to expand its vendor ecosystem, Fortrex VendManage® and VendSure® provide a scalable, integrated framework without additional internal headcount.
“Fortrex VendManage® gave us confidence, not just that the work was getting done, but that it was being done the right way and would stand up to regulatory scrutiny.”
Vice President, Third-Party Risk Management
$10B Credit Union
Strengthen your vendor governance
Talk to Fortrex about TPRM, VendManage®, and exam-ready third-party risk for credit unions and banks.