ERM vs. Vendor Management: What’s the Difference?

Banking and the world of risk and compliance management are chock full of jargon, concepts, terms, and acronyms—and it’s not easy to keep it all straight.  

This blog breaks down two of the most-commonly mistaken and misused concepts: enterprise risk management (ERM) and vendor management. 

Let’s start with basic definitions: 

Enterprise risk management (ERM): Enterprise risk management is a system for managing risk holistically throughout a financial institution to create value.  

Vendor management (also known as Third-Party Risk Management): Vendor management is the process of overseeing third-party vendor and fintech relationships to reduce the risk these relationships. 

Read also: What is a Third Party?

Are ERM and vendor management the same thing?

No, ERM and vendor management aren’t the same thing.

ERM is about identifying, assessing, mitigating, measuring, monitoring, and communicating risk. It’s a broad umbrella that addresses a full spectrum of risk including:

• Operational risk 
• Transaction risk 
• Compliance risk 
• Third-party risk 
• Credit risk
• Strategic risk
• Reputation risk
• Cyber risk
• Concentration risk

ERM is more than fending off risks as they emerge. It’s implementing controls, including policies and procedures, to ensure appropriate risk management is addressed at all levels—from strategic planning to daily operations. It touches every department, looking at risk as a series of “what ifs” to determine how an institution can prevent that “what if” from becoming an eventuality. 

ERM is a team sport. Success depends on every player (or in this case, every department, function, or business line) contributing their knowledge and skills. While each one has a specific role and set of duties, no one operates on an island. They all must depend on each other.  

The chart below is an oversimplification of ERM, but it gets the point across. You can see how ERM recognizes the connections between different elements of risk management and how they overlap. One of those pieces is vendor management. 

Related blog post: ERM: Making the Connection 

Why do so many people confuse ERM and vendor management?

Every time a financial institution works with a third-party vendor, partner or fintech, it introduces the potential risk. That’s because regulatory agencies (and the public) don’t differentiate between a financial institution and a vendor it hires to provide a product or service. If a vendor makes a mistake, it reflects poorly on the financial institution—and can end up costing it thousands, or even millions of dollars. 

These risks include: 

• Compliance risk. Failure to follow federal or state regulations. 
• Cyber risk. Data breaches due to poor cyber controls.
• Reputation risk. Mistakes that bring negative attention.
• Operational risk. Failure to deliver products or services as promised.
• Fourth-party risk. When the vendors’ vendors pose a risk.
• Strategic risk.  When the vendor (and the activity your institution is undertaking with that vendor) prevents your organization from achieving its goals. 

Download our whitepaper: The Top 10 Risks Vendors Pose to your Financial Institution 

Some people confuse ERM and vendor management because—like ERM— vendor management requires addressing several kinds of risk. These include many of the same risks from the chart above.

However, vendor management only looks at these risks from the point of view of the vendor relationship. It assesses a vendors’ cyber controls and disaster recovery plans—not those of your institution. It looks at how vendors keep up with and comply with regulatory change. It doesn’t take stock of your own compliance management system (CMS). It reviews consumer complaints about vendors, not your institution at large. 

Do you need an ERM solution if you have a vendor management solution? 

An ERM solution is no substitution for a vendor management program. While they are both focused on risk, vendor management is focused on the vendor management lifecycle. This includes: 

• Planning for a relationship. Discuss the strategic reasons for outsourcing and the potential risks, including if this will be a critical vendor.
  
• Due diligence and third-party selection. Gather and analyze documents and information on potential vendors and choose the vendor that’s the best fit.

Related: Due Diligence Documentation: 9 Common Mistakes 

• Contract negotiation. Negotiate pricing and terms, including controls that will give your financial institution the information it needs to oversee the relationship.
  
• Oversight and accountability. Determine who at the institution is responsible for the relationship. If needed, have contract signed by the board. Report on vendor activities. 
• Ongoing monitoring. Review due diligence documentation and engage in cyber monitoring on an ongoing basis to ensure vendor controls remain effective.
• Termination. Ending the relationship.  

While vendor management includes elements of ERM (such as risk assessments, monitoring, and reporting), a vendor management program is more specialized. It includes functions such as: 

Contract management. Contract management is the process a financial institution uses to organize and oversee third-party vendor contracts and agreements. A good contract management system creates value by ensuring contracts are accessible, tracking key dates, and making it easy to identify important contract terms, including cost and performance expectations. 

Vendor risk assessments. Different vendors require different levels of due diligence depending on the access to sensitive data and potential for having a material impact on your institution. Vendor risk assessments help identify critical (or high risk or tier 1) vendors that require enhanced due diligence. 

Vendor onboarding. Long before a new vendor joins the fold, there needs to be discussions about why outsourcing is needed and what a good vendor looks like. Vendor management requires a step-by-step process for vendor onboarding.   

Due diligence document collection and analyses. Vendor management requires collecting and reviewing vast amounts of due diligence documentation. A good vendor management program has the tools to ensure all the necessary documents are collected and can provide help analyzing pages of legalese to understand what they all mean. 

Conclusion: Vendor management is one element of a good ERM program

ERM is not just about managing risk. It’s about applying the knowledge gained through good risk management to make better strategic decisions and more effectively reach goals and objectives.  

Vendor management provides insights that feed into an institution’s overall ERM program by helping the institution identify, assess, manage, and mitigate the risk posed by third-party vendors, partners and fintechs. It’s one essential piece in the ERM puzzle.

Want to learn more about connecting different departments and business lines to master risk management?