Your financial institution’s Board of Directors plays an important role in vendor management. They establish the strategic goals of your financial institution, determine its risk tolerance, and offer high-level guidance for the governance of third-party relationships.
As a manager, you are responsible for delivering periodic reports to the Board on the status of your institution’s vendors.
But what should you include in these reports?
Typically, the Board of Directors meets monthly to review your institution’s financial performance, evaluate and revise long-term strategic plans, and assess the effectiveness of your credit union or bank’s departments and divisions, among other agenda items.
They also discuss potential risks to your FI, including risks from third-party vendors. If you manage vendor risk, you need to deliver actionable insights to the Board on these relationships.
Remember that your Board doesn’t have the time to read a novel about your vendor management program. Giving them too much information is nearly as bad as giving them too little.
Determining what your Board needs to know about your bank or credit union’s vendors is critical to the success of your department.
Creating the Optimal Vendor Board Package
Managers execute the Board’s recommendations, overseeing the daily workload of their departments. Your financial institution may also have committees, which act as intermediaries between departments and the Board.
Regardless of the arrangement at your institution, creating the optimal board package and sharing your findings with them is a crucial aspect of successful vendor management.
Your vendor board package should include the following items:
New Vendor Contracts
If you have decided to outsource one of your bank’s functions to a third-party vendor, your Board will want to know the cost-benefit of this relationship. While there are many considerations when onboarding a new vendor, you should keep the package you deliver to the Board high-level.
How does this proposed third-party relationship help your institution achieve its goals? What factors will impact return on equity (ROI)? Will this vendor engage in high-risk, critical activities that have the potential to harm your financial institution?
Findings from Your Ongoing Monitoring of Vendors
You don’t need to report on every vendor in your board package. For instance, your financial institution’s board members are likely not interested in how the custodial staff you contracted to clean your branch locations performs.
For the most part, the Board wants and needs information on the performance of critical and high-risk vendors who pose the greatest risk to your institution’s integrity and viability.
How do you identify critical vendors?
You should start with some criteria for identifying critical vendors.
Access to Sensitive Data: Many financial institutions misidentify critical vendors because they conclude their access to sensitive data is either supervised or limited. If a third-party relationship involves access to sensitive data in any capacity, you need to consistently evaluate their controls. Your board package should include any red flags, including possible data breaches or loss, poor management of data, and non-compliance with data protection regulations.
Performance Issues: Your vendor board package should include any deterioration in third-party performance. During contract negotiations with a vendor, you should define thresholds for carrying out a particular activity as service-level agreements (SLAs). If your vendor dips below the agreed-upon thresholds for service, you need to inform your Board of Directors.
Decline in Financial Health: You should report any decline in the financial health of critical vendors to your Board of Directors, as these may cause the quality of service to decline and deteriorate, pose continuity of service risks should your vendor go bankrupt or be acquired, and cause financial losses to your institution.
To summarize, your vendor board package should focus on significant issues and concerns, including audit discrepancies, declining financial health, security breaches and data loss, service disruptions, compliance failures, and other indicators of heightened risk to your institution.
Termination and Continuation Service
Contracts with vendors should contain clauses that spell out the conditions when your relationship can be terminated. Failing to meet performance standards and non-compliance with regulatory requirements are common reasons for termination.
When terminating a contract with a vendor, your board package should include the reasons for the termination along with detailed plans for the continuity of activities. As a manager overseeing vendor relationships, you may conclude that bringing an activity in-house or contracting with another, more suitable vendor makes sense.
Taking a proactive approach to vendor management means more than simply identifying problems. Many contracts with vendors will automatically renew, and you should consistently explore alternative third-party relationships that may better fit your institution’s long-term strategic goals.
In your vendor board package, you should address the termination of vendors and your plan for continuity of service (whether binging in-house or using another third party), impact on consumers, a cost-benefit analysis of bringing the activity in-house or contracting with another vendor, and risks associated with exporting data.
Checklist for Your Vendor Board Package
Your board of directors needs the following information to provide guidance in managing vendor risk:
- The strategic purpose of the relationship and its alignment with your institution’s goals and risk tolerance
- The benefits and risks of the proposed vendor relationship
- A thorough understanding of any special circumstances, including your vendor’s technology needs, penetration, consumer interactions, and your proposed vendor’s use of foreign-based service providers
- The direct and indirect costs of the relationship
- Impact on your consumers, including your proposed vendor’s handling of consumer NPI (non-public information), complaint management, and other potential harms to consumers
- The security implications of your proposed relationship and vendor access to your institution’s computer systems, data, and facilities
- Your plan for monitoring the relationship, encompassing monitoring for compliance and remediation in the event of your proposed vendor’s breach of contract
- Plans for the termination of the relationship
Remember that your vendor board package should focus on third-party vendors performing critical or high-risk activities. Including the above in your package gives your Board of Directors what they need to help directors understand third-party risks and how management is addressing those risks.
Subscribe to the Nsight Blog
Share this
The FFIEC Brings the Board to the Block
ERM 101: What’s Your FI’s Risk Appetite?
