When properly constructed, a vendor management software solution is a tool that guides an institution through managing third and fourth-party vendor risk. It organizes existing processes and documentation while offering insights into improving vendor relationships and policies.
It’s more than a storage center for contracts. It’s an expert system that uncovers insights into vendor agreements and simplifies the due diligence process so that an institution can focus on the most high-level, big picture issues.
Related: Ncontracts Challenges the Gartner Vendor Management Magic Quadrant
Here are the top five features to look for when selecting a vendor management software solution:
1. Manages the entire vendor management lifecycle
2. Promotes collaboration
3. Reviews critical information at every level
4. Offers the ability to assess evolving vendor environment
5. Provides easy execution
1. Manages the entire vendor management lifecycle
Vendor management isn’t a one time-process that ends after due diligence and a signed contract. It’s a process that continually assesses the risks a third-party vendor and its subcontractors pose to a financial institution and provides tools to monitor and mitigate those risks. It ensures that vendor risk exposure is consistent with an institution’s risk appetite. It manages every step of the vendor management life cycle.
A vendor management software solution should:
Classify vendors. Not every vendor requires the same amount of scrutiny and due diligence. Vendor management software should aid in the identification of vendors that pose the greatest risk to an institution. It should then assist in classifying vendors on a scale of the institution’s choosing, whether it is critical, moderate, low or some other gradient. Not only does this address regulatory requirements for critical and significant vendors, but it empowers an institution to allocate vendor management resources for maximum efficiency. This ensures the most attention is dedicated to critical or significant vendors.
Aid in risk assessments. Vendor management software should aid in a risk assessment process, providing a quantitative approach to measuring both inherent and residual risk. Measuring risk isn’t about guesswork. It’s about thoughtfully considering the many factors that contribute to vendor risk. Vendor management software should help quantify the impact and likelihood of potential events in the context of what they mean to an institution’s operations, financials, reputation and other key considerations.
Conduct policy and procedure review. Policies and procedures are only valuable if they are followed consistently. Vendor management software should provide tools for ensuring that no step is overlooked. That includes processes for ensuring that risk controls are valid throughout the vendor management lifecycle.
Be audit-ready. Vendor management software should make it easy to track every step of the vendor management process from strategic discussions about outsourcing to signed contracts to continued due diligence. It should be easy to pull up lists of critical vendors, due diligence documents, board minutes and other essential information related to vendor selection and maintenance.
2. Promotes collaboration
When it comes to vendor management, there’s a big difference between thorough and redundant. Thorough vendor management is when different departments collaborate to efficiently monitor vendors. Redundant is when different departments individually monitor vendors, duplicating each other’s work.
Redundancy is surprisingly common. Think about how the typical institutions divvies up responsibility for critical vendors. At many institutions, the IT department handles cybersecurity, compliance tackles vendor management and someone else in IT oversees business continuity planning. These seem like different tasks, but there is actually substantial overlap.
For example, when it comes to financial institutions and security breaches:
1. Vendor management. Regulators want financial institutions to know if critical vendors are required to provide notice if there’s a security breach.
2. Cyber security. The FFIEC’s Cybersecurity Assessment Tool specifically asks if all critical vendors are required by contract to notify the financial institution when there is a security breach.
3. Business continuity planning. An institution should know how long it will take critical vendors to notify the institution of a security breach.
4. Compliance. The Gramm-Leach-Bliley Act specifically mentions that vendors with access to protected data should be required to notify the financial institution of a security breach.
5. Enterprise risk management. A bank needs to determine if critical vendors are required to notify the institution of a security breach.
Often, each team will meticulously follow regulatory requirements and best practices, never considering the possibility that someone else at the bank might be tackling a similar task. The result is silos that create duplicate work.
Ends redundancies. In the security breach example, there may be as many as five different groups compiling lists of third-party vendors, assessing the criticality of individual vendors and determining which vendors should report breaches and when. When it comes time to test controls, each control is tested five times instead of simply testing it once and sharing the findings with everyone involved. This repetition isn’t thorough—it’s just a waste of time and resources.
Eliminates inefficiencies. There can also be as many as five teams monitoring and setting policy for security breaches of critical vendors. Instead of working cooperatively to maximize knowledge and resources, each group starts from scratch. The compliance department doesn’t benefit from IT’s knowledge of cyber security. The vendor management and contract teams don’t necessarily understand the expectations of business continuity planning. Enterprise risk management isn’t providing the overall leadership needed to make the process function smoothly. It’s a waste of expertise.
Avoids discrepancies. When different groups unknowingly have overlapping responsibilities, it can create conflict as each group sets different standards and notification times. For instance, the IT team may require breach notification within one hour while compliance may say 24 hours. These kinds of discrepancies are red flags for regulators.
Financial institutions can break down silos with a vendor management system that allows departments to share information and see what work has already been done. When information is transparent and centrally available, it saves time and eliminates duplicate efforts. It also reduces third-party risk by ensuring everyone is operating on the same premises.
3. Reviews critical information at every level
At its heart, vendor management is about identifying, assessing, monitoring and mitigating third-party vendor risk through appropriate use of policies, procedures and documentation. An effective vendor management software solution will provide the oversight and insights necessary for each of these elements.
Gather missing contracts. Keeping contracts together seems like basic vendor management, but it’s common for banks without vendor software solutions to keep contracts in various file systems, drawers and branches without central organization. This can result in duplicate contracts with multiple vendors, ongoing contracts for services that are no longer used and other costly oversights. Vendor management software solutions should keep all contracts together so that it’s easy to find and classify vendor contracts by type or branch. When an institution can’t locate all its vendor agreements, it has no idea what it’s buying from whom.
Assess key points. Contracts are long documents designed by a vendor’s lawyers to be hard to understand. A vendor management solution should come with the expertise to decipher the legalese of even the longest contracts, highlighting the terms and provisions most important to an institution. These include costs, auto-renewals, termination, deadlines and service-level agreement provisions setting service expectations and promising reports and documentation. These allow an institution to make sure a vendor is delivering on promises and ensure that there is adequate time to explore alternative vendor options and negotiate new terms as a contract nears expiration.
Flexible and extensive reporting features. Today’s dynamic operating environment makes it essential for management, the board, auditors and examiners to be able to quickly decipher the state of an institution’s vendor management. A good vendor management software solution should be customizable, allowing an institution to pull up the reports it determines to be the most important.
The board plays a critical role in vendor management, making decisions about the institution’s strategic approach to risk and signing off on critical vendors. Vendor management software should make it easy for the board, auditors or examiners to quickly access up-to-date information about an institution’s vendor management decisions and the process it is following.
This is only possible when a vendor management software solution makes it easy to track the execution of the institution’s vendor management policies and procedures. It cannot be said enough: If it isn’t documented, then it didn’t happen.
Generate email reminders. It’s easy to overlook a step in a world where the expectations for an instantaneous response means that employee attention is constantly switching focus. Vendor management software should help employees cut through the clutter of everyday demands and ensure essential tasks are addressed promptly with email reminders. Employees or their supervisors should be able to set alerts for specific tasks and inform managers when a task needs attention.
4. Offers the ability to assess an evolving vendor environment
The work of assessing a vendor is never done. Choose a vendor management software solution that will empower the institution to keep tabs on vendors with minimal effort on its part.
Collect documentation. Document management is one of the most time-consuming elements of vendor management. Well-constructed vendor agreements promise the timely delivery of a variety of documents including SSAE 18s, financials, insurance, licensing, audit reports and test findings, among others. A financial institution with multiple critical vendors needs a solution that will track and store this influx of documentation. It should also make the institution aware when documents haven’t come and have tools in place for collecting these documents from vendors with minimal effort on the part of the institution.
Analyze reports. Vendor reports aren’t papers collected for appearance’s sake. They need to be carefully analyzed as part of an institution’s vendor management due diligence efforts. They help an institution understand if a vendor remains a reliable partner. Vendor management software needs to provide tools that will highlight significant changes so that an institution has the information it needs to make decisions, whether it’s questioning the quality of its vendors’ cybersecurity and incident response policies or its financial condition.
Provide ongoing monitoring and risk assessment. Whether it’s reports sent by a vendor or lawsuits, media reports or other news to suggest a vendor is experiencing challenges, a vendor management software solution needs to provide ongoing monitoring to ensure your institution’s due diligence efforts are informed. While vendor reports are essential, a lot can change in between the months or years a report is provided. These supplemental efforts should demonstrate to regulators that your institution is proactively monitoring vendors. It should also help you translate this information in risk assessments, giving you insights into changing vendor risk so that those risks can be properly mitigated using controls.
5. Provides easy execution
The goal of a vendor management software solution is to simplify and streamline vendor management, not add to the workload of an already overtaxed staff. Institutions should seek out a solution that tailors itself to the institution. The solution should alter itself to fit the institution, not the other way around.
Easy integration into existing processes. Too many vendor management software solutions force an institution to abandon its existing vendor management procedures and processes and use its prescribed approach instead. While many institutions can benefit from revamped policies, procedures and processes, that should be an institution’s decision, not the software vendor’s.
Institutions should seek out a solution that lets it continue using its own proven processes and conforms to its needs instead of forcing the institution to contort to meet vendor expectations. It should be easy to configure and customize.
Training and support. No matter how great a vendor management software system is, there will always be a learning curve during adoption. The solution provider needs to be there for the institution long after the contract is signed, providing one-on-one help to guide management and employees through execution and beyond. An institution should seek out a team that will be responsive to the institution’s evolving needs and dedicated to adapting its solution to its changing demands.
Vendor Risk Countdown: Top 10 Risks Third-Party Vendors Pose to Your Financial Institution
Subscribe to the Nsight Blog
Share this
What Is a SOC Report and How Can I Use it for Vendor Management?
9 Benefits Of Vendor Management Software Vs Manual Tracking
