The directive came from on high, and there is no escaping it: You are responsible for your institution’s vendor management process.
You’ve seen the guidance. You know it’s a big job. But where to begin?
Take a deep breath, let it out, and allow me to be your guide through the vendor management process.
Vendor management is the process of continually assessing the risks a third-party vendor and its subcontractors pose to your institution. It relies on policies, procedures, and tools to monitor and mitigate those risks. It ensures that vendor risk exposure is consistent with an institution’s risk appetite and manages every step of the vendor management process lifecycle.
1. Decide who is involved.
Just because you’ve been tasked with vendor management doesn’t mean it’s solely your responsibility. Vendor management touches nearly every single department and business line.
Both board and management oversight are necessary for successful vendor management. The board approves significant vendor agreements, documenting how it reached that decision. There also needs to be proof that significant vendor agreements are overseen and reviewed annually by the board and whenever there is a material change to the program. Management is responsible for a period review of the vendor’s operations to ensure the vendor is controlling risk and living up to the contracts terms.
It may be practical to have department heads oversee their vendors and report critical information back to you. Conversely, it may be best for you to take the lead. Every institution will have its own approach. The important thing is to make sure vendor management isn’t siloed and that different departments and business lines collaborate to ensure vendor management is comprehensive.
2. Select a central location for vendor-related information.
Vendor management requires collaboration, and that means there needs to be one single place where all policies, procedures, and documentation will be stored. You’ll save yourself a lot of headache down the road if you make it easy to find up-to-date information and a system with clear audit trail. Contracts, business plans, risk analyses, due diligence, and documents related to oversight activities, including board and committee reports, should be kept for a defined period of time.
3. Identify your vendors.
If your institution doesn’t have much of a vendor management process now, chances are there is no master list of vendors. That means you need to hunt down contracts and vendor agreements. The bad news is that these are likely to be spread out across the institution in various computers, file folders, filing cabinets, offices, and branches. Don’t forget to check in with accounting for a list of invoices paid over the past year or two. You may uncover vendors with lost contracts.
4. Review contracts.
Once the contracts are gathered, go through them to see what services each vendor provides and when the contract expires. Make note of duplicate services, expiration dates, and autorenewals. Pay attention to provisions promising reports, audit results, and other notable documentation.
Also look out for pricing information. If a contract is more than a few years old or it auto-renewed, it’s possible your institution can renegotiate it, saving money and making you look like a vendor management rock star.
5. Identify critical, significant or high-risk vendors.
Different agencies use different terminology, but it all comes down to the same thing. A critical/significant/high-risk vendor is a vendor that performs or provides critical functions or services, including payments, lending, deposits, clearing, or IT. It also includes those that:
- Could cause the institution significant risk or significantly impact customers if they failed to meet expectations.
- Require significant resources to implement, manage, or bring in-house.
- Touch sensitive customer information.
- Could materially impact earnings, capital or reputation.
It’s important to identify high-risk vendors because they present a particularly large risk to your institution. If the guy who cuts a branch’s grass goes out of business, it’s an inconvenience. If your mobile banking provider gets hacked, you’ve got a real problem on your hands.
Develop a scale for identifying vendors. Many institutions use critical, moderate, and low but others prefer more gradient.
6. Conduct due diligence.
You have a list of low, moderate, and critical vendors. You know what kind of documents they are supposed to supply you. It’s time to collect them. Hunt down documents you’ve been promised, and set up alerts to keep you apprised of any developments related to your vendor like financial troubles, lawsuits, legal or regulatory difficulties, reputation issues, etc.
Due diligence should be conducted before a contract is signed and throughout the duration of the relationship. Not every vendor requires the same amount of due diligence. Concentrate your efforts on critical vendors because they pose the most risk. Things to look at include:
- Financial condition: Audited financial statements, filings, annual reports, litigation, etc.
- Business approach: Does it use subcontractors? How well are they monitored?
- Internal controls: What kind of internal controls, systems, and data security and privacy protections does the vendor have? Does it have audit coverage? What are its business resumption, continuity, and contingency plans? How strong are its management information systems? Does it have insurance coverage? What are its underwriting criteria?
- Marketing: How will the vendor use the institution’s name on materials and websites?
Check out our article on FinCEN's new customer due diligence rule.
7. Risk assess your vendors.
A risk assessment is a broad exercise that covers everything from an institution’s overall approach to enterprise risk management (ERM) to the practical elements of what resources are available to identify, manage, and mitigate risk.
First, you need to understand your institution’s risk appetite. The risk appetite is set by the board as part of the strategic plan. It’s important to consider whether the costs, benefits, and risks of working with a third-party align with the institution’s comfort zone and overall strategy. Potential risks include operational, transaction, compliance, reputational, financial, and cybersecurity risk, among others.
This is typically done by measuring and scoring two key forms of risk: inherent risk and residual risk.
Inherent risk scores represent the level of risk an institution would face if there weren’t controls to mitigate it. For example, think of the risk of a cyberattack if the institution didn’t have any defenses in place. It’s very likely the institution would be attacked, and it could have a huge impact.
Residual risk is the risk that remains after controls are taken into account. Residual risk is greatest when the inherent risk is high and the controls for mitigating the risk aren’t effective. It decreases when controls are effective. In the case of a cyber breach, it’s the risk that remains after considering deterrence measures like firewalls and intrusion detection testing.
To measure residual risk, it’s necessary to determine how effective controls are. This comes down to two factors: the impact of the control and how likely it is to work. For example, a firewall can be very important for keeping out hackers because it covers the entire institution. Updating the virus protection on a single computer has a much smaller impact.
The overly cautious might be tempted to label every risk a significant or high risk, but that’s a terrible idea. If every risk is labeled with the highest possible risk level, the board won’t know where to deploy resources. Higher residual risks should be addressed more frequently and their control effectiveness reviewed more aggressively.
Those vendors with the highest residual risk will require the greatest attention.
8. Engage in ongoing monitoring.
The threat landscape is always changing so it’s important to assess the effectiveness of controls to understand whether your third-party vendor is performing as expected. Controls should be tested regularly, and the institution should track whether vendors are meeting service-level agreements, performance metrics and other contractual terms and complying with legal and regulatory requirements. This ongoing due diligence should monitor the quality of service, risk management practices, financials and controls and reports. The results, along with the institution’s policies and procedures, should be used to decide if a vendor needs to be terminated or put on probation.
9. Track findings.
Findings from the oversight process should be periodically reported to the board or a committee. This is particularly true for weaknesses, which should be identified, documented, and quickly remediated. It’s important that someone is accountable for follow up with systems in place to be sure nothing falls through the cracks.
10. Negotiate contracts.
Contracts are more than pricing agreements. They are important documents that outline terms and conditions, and it’s important to have policies and procedures in place for negotiating strong contracts that protect your institution’s best interests.
More than a check list of must-haves in a written agreement, these are the items that should be easy to understand and track. They should be specific and detailed to provide measurable benchmarks. The board should sign off on contracts with critical vendors. Contracts should outline the rights and responsibilities of both the vendor and the financial institution. Topics to address include: confidentiality, dispute resolution, subcontracting, business continuity and contingency plans, frequency of data reports and audits, data privacy, and ownership of intellectual property.
These 10 steps will help you develop an organized vendor management process. Instead of struggling to make sense of an unwieldy collection of third parties, you’ll have a clear path to getting your vendor management house in order.