Store Home Board & Committees
Certified Regulatory Vendor Program Manager (CRVPM®) Level II course (online)

Your Price:
  • This course and certification is provided by the Compliance Education Institute.

    This course begins with setting up Lines of Defense, a classic risk management approach to structuring your vendor management program, and how to apply it to the basic hub & spoke vendor management structure discussed in Certified Regulatory Vendor Program Manager (CRVPM®) Level I. The course then goes on to address the five components of the vendor management life cycle.

    The five components of the vendor management life cycle are:

    1. Outsource Planning
    2. Vendor selection/due diligence
    3. Contract Management
    4. Periodic Review and Oversight
    5. Exit Strategy

    Who should attend
    This course is beneficial to anyone who has completed (CRVPM®) Level I.

    Pre-requisite for this course: CRVPM® Level 1

    The CRVPM® Level II expands upon existing concepts from the CRVPM® Level I course and introduces new concepts and content.

    In addition, it also introduces advanced concepts in vendor management and expands upon existing concepts covered in the CRVPM® Level 1 course so that a vendor management professional can continue to expand their vendor management knowledge and augment their program.

    As a CRVPM® Level II, these professionals:

    • Are recognized as an expert in the vendor management field
    • Increase their value to their credit union
    • Show examiners and auditors their credit union’s commitment to regulatory compliance and risk management
    • Demonstrate professional growth and an advanced level of regulatory knowledge
    • Hold a competitive advantage over others when seeking career growth

    To achieve the CRVPM® Level II designation, you must:

    • Have earned and maintain the CVRPM® Level I designation
    • Pass each of the five chapter exams with a passing score of 80% for each. Scoring is instant, so you will know your results immediately.

    By becoming a CRVPM® Level II, you receive:

    • Electronic certificate
    • CRVPM® ll designation
    • CRVPM® Level ll Advanced Reference Guide which is updated throughout the year as new rules, regulations and Guidance are issued and as new exam trends emerge and best practices are identified
    • Vendor Site Visit ScoreCard
    • Vendor BCP Feasibility ScoreCard
    • Comprehensive Vendor Exit Strategy document
    • Additional documents and tools to support your vendor management program
    • 1 year free telephone/email consulting support for vendor management issues/questions and GLBA 501(b) issues

    Chapter 1 – Lines of Defense and Outsource Planning
    Setting up Lines of Defense is a risk management best practice that any size institution can implement in order to formalize responsibilities and enhance the checks and balances required to ensure that vendor management policy is complied with (Governance – 2nd line of defense) enterprise-wide. This chapter expands upon the hub & spoke vendor management model to provide a more detailed look at the vendor management structure and process, and the responsibilities for each line of defense. Chapter 1 then continues into Outsource Planning and examines the 12 components of the Outsource Planning process.

    Chapter 2 - Due Diligence/Vendor Selection
    CRVPM® Level 1 covered the basic concept and process of conducting due diligence to ensure that the vendor can support the institution operationally and financially (adequate financial strength). CRVPM® Level II examines some specifics of due diligence including:

    • Vendor fraud
    • PCI DSS compliance
    • Conducting vendor site visits
    • Vendor’s business resilience capabilities and appendix

    Chapter 3 – Contract Management
    While guidance provides recommendations on contract structuring, technology service provider (TSP) contracts frequently leave the institution exposed to a number of dimensions of risk that guidance never warns you about. Attorneys and those skilled in contract review may help the institution mitigate risk when it comes time to dot the I’s and cross the T’s but if they are not well versed in technology issues then there are a number of exposures to be concerned about. This chapter covers the following exposures that anyone doing business with TSPs should be concerned about:

    • Technology
    • Data
    • Financial
    • Compliance
    • Legal
    • Cyber Security

    Chapter 4 – Periodic Review and Ongoing Monitoring
    While we know that we need to monitor our vendors on an ongoing basis and conduct periodic reviews in order to assess Controls, Condition and Performance, Chapter 4 discusses setting a baseline for that monitoring and review, and the red flags/green flags to look for during the course of the relationship. This chapter includes:

    • Key Performance Indicators (KPI’s)
    • Key Risk Indicators (KRI’s)
    • Vendor value

    Chapter 5 – Exit Strategy
    Considered as the first step in outsourcing, it is crucial to have an exit strategy prior to even engaging a vendor. There inevitably comes a time when most institutions decide to transition an outsourced service away from their current vendor and either move it to a new vendor or bring it back in house. All too often, this exercise is conducted reactively rather than proactively and leaves the institution exposed to many risks, expenses and legal issues. This chapter covers the following 6 components of a vendor exit strategy:

    • Risk management
    • Criticality/ease of replacement
    • Contract issues
    • Knowledge base
    • Total cost of ownership
    • Project planning & management

    About the presenter: Compliance Education Institute LLC

    Mick Kless is the founder and CEO of RISC Associates, a regulatory compliance consultancy and compliance automation tools developer, and Compliance Education Institute, the training and education division of RISC. He is a recognized industry expert on vendor management and the creator of the Certified Regulatory Vendor Program Manager (CRVPM) course. Mick has spent more than 30 years in financial services, has focused on GLBA 501(b) issues since 2001 and has specialized in vendor management regulatory issues since 2004.

    For course access questions, email

    Course length: 12 hours