When considering a new product or service, financial institutions often ask potential vendors to complete a request for proposal (RFP). An RPF is a document designed to help determine if a third-party service’s service or product is a good match for an institution’s needs.
The value of an RFP is only as good as the questions and level of detail that goes into it. What does a good financial institution RFP look like? Joe Carso, vice president of risk management at Ncontracts, helps manage the RFP process at Ncontracts. A former bank compliance officer, Joe has analyzed hundreds of RFPs.
We asked him to share best practices for managing the RFP process, from drafting the document to reviewing the results.- When does an institution need an RFP?
- What should go into an RFP?
- What types of questions should I avoid?
- What should I look for in answers to my RFP questions?
- What’s the biggest RFP mistake financial institutions make?
- What’s a reasonable response time for a vendor RFP?
- How do you review an RFP once a vendor returns it?
Q: When does an institution need an RFP?
Joe Carso: The goal of an RFP is to ensure a financial institution buys a product or service that meets its needs at a competitive price. It helps ensure that critical relationships are assessed strategically and avoids conflicts of interest, such as signing up with a vendor because someone’s friend works there.
Different institutions have different requirements for when an RFP is needed. For some, it’s triggered by a cost threshold while others might just require an RFP to be sent out to multiple entities as a standard practice.
If it’s going to be a key piece of software, or it’s crucial to operations, or there’s an immediate need, or you know there’s a real regulatory risk, then you’ll probably want an RFP.
Q: What should go into an RFP?
Joe Carso: An RFP should not be a cookie-cutter document you send to every vendor. Templates have their place, but every RFP should be customized to reflect the product or service being evaluated.
This is your chance to compile everything you want to know about the software. The more relevant the questions are, the more relevant the answers are going to be.
There should be topical questions about functionality and whether it aligns with your expectations and goals. If the RFP doesn't align with your goals, then you're not going to get back any relevant information other than some security information.
The best RFPs have the subject matter experts involved. You want to involve the people who are going to use the software, those who will be the administrators, and those who will be responsible for its security and operation. The risk team will come up with some questions, the vendor management folks will have some and so will information security. Infosec will always have technical questions and questions about security. There’s a lot of boxes they need to check.
A good RPF is targeted and should ask about specific functionality. There should be some standard security questions, some enhanced security questions depending on the software’s function, and questions that delve into what this product does and whether it will help you accomplish your strategic goals.
They aren’t just a standard form that was written years ago and is outdated or asks a lot of questions for the sake of asking questions.
Related: 9 Steps for Successful New Vendor Onboarding
Q: What types of questions should I avoid?
Joe Carso: Yes or no questions can inhibit response quality if used excessively. Additionally, if you’re going to use them, include a space for commentary. Also, due diligence packets contain a lot of useful information and may eliminate the need to ask certain questions in the RFP.
Q: What should I look for in answers to my RFP questions?
Joe Carso: Always make sure the vendor's response satisfactorily answers your questions. Sometimes, RFP responses contain a lot of filler but fail to provide relevant information. If a vendor doesn’t meet a specific requirement, they should tell you—not try to distract from the question.
Q: What’s the biggest RFP mistake financial institutions make?
Joe Carso: Aside from having a standard RFP, the worst mistake I see is asking irrelevant questions based on old software purchases. Infosec changes so fast that it’s easy for an RFP to contain dated material.
Q: What’s a reasonable response time for a vendor RFP?
Joe Carso: Three weeks. The longer and more complex it is, the more time and resources the vendor will need to give you a detailed response. Make sure you know if your board or institution will require one and allocate time in your project schedule for responses.
Q: How do you review an RFP once a vendor returns it?
Joe Carso: Don’t have just one person review it. You’ll want to have those involved in writing the RFP review it to ensure the information is relevant. Senior management might also want to review it. When reviewing it, look to see whether the RFP responses align with what was said on the demo. Make sure the important questions are answered and you have everything you need.
If something is unclear, you can follow up and ask for clarification.
Interested in Learning More About RFPs and Contract Management? View Our Webinar: "Masterful Contract Management: How to Negotiate, Review, and Manage Contracts"
Subscribe to the Nsight Blog
Share this
Third-Party Risk Management 101: Is It Easier to Have Less or More Vendor Types?
Board Reporting: FAQ for Financial Institutions
