You are on page 1of 5

Four Steps to Successful Vendor Management

April 21, 2005

With increased outsourcing and heightened regulatory concern, financial institutions have to carefully manage their relationships with vendors of all shapes and sizes, notes ABA Bank Compliance magazine. A proven four-step process to establishing a sound vendor management program will better prepare financial institutions for dealing with outside vendors. Regulators have been generally concerned about relationships with vendors of products or services for many years. The ability of a financial institution to effectively select and manage vendors is directly related to the safety and soundness of the institution. The regulatory concern has heightened dramatically in recent years, in part because banks are outsourcing more services and technology. Are you a Council Member? Get more helpful articles like this & other resources to help you save time & money! > View Membership Benefits

In addition, year 2000 readiness emphasized to regulators and financial institutions the risks that financial institutions faced as a result of outsourced technology and other services. These concerns were bolstered by Gramm-LeachBliley's privacy and information security requirements, and developments related to corporate governance resulting from well-publicized business failures and inadequately supervised management. What was once a relatively benign subject of regulatory scrutiny has assumed a much greater importance. The decision to outsource certain functions, the selection of a vendor, and the supervision of that vendor are now fully entrenched as important parts of risk management and regulatory examination at all financial institutions. Four steps are necessary to appropriately outsource or contract for goods or services: Step One: Risk Analysis Fundamentally, proper vendor management is nothing more or less than risk management. This step requires the financial institution to identify the importance of the function to the organization, the nature of the activities the vendor will perform, and the inherent riskiness of the activity. The more risky the activity, the more important the need is for diligence in selection, in contracting, and in supervision and monitoring. Of course, for regulatory purposes, the process of risk analysis must be carefully documented. To properly assess the importance of the function to the financial institution, it must first analyze how the outsourced function meets the its business needs and strategic objectives. What would be the effect on the institution if the function failed or was not adequately performed? Will outsourcing this function cause

dependency on the third-party provider for an essential function? Are there other potential vendors that could quickly provide the same service if the current vendor fails? Is the financial institution able to adequately oversee this outsourced function? Step Two: Due Diligence in Vendor Selection The intensity of due diligence required in selecting a vendor will depend on the results of the risk analysis the financial institution completed in deciding to contract with a vendor to provide goods or services. Due diligence requires a reasonable inquiry into a vendor's ability to operationally meet the requirements for the proposed service and an inquiry into the vendor's financial ability to deliver on its promise. Financial institutions should also question operational issues such as staffing, expertise, and the vendor's internal controls. Assessing staffing requires questions such as:

What is the quality and experience of the staff? Are there sufficient employees to meet the financial institution's expectations for performance? Are the managers competent and familiar with the industry? Are employees and management well trained? Does the staff turn over quickly or is it stable?

Assessing industry expertise requires questions such as:

How long has the vendor been involved in providing this service? Does the vendor provide this service to other financial institutions? Are there user groups or references that the bank can consult concerning quality? How do these references assess the quality of service performed by the vendor? Does the vendor rely on third parties or partners to provide the services? Does the vendor have information concerning the expertise of these third parties? What is the reputation of the business? Has the vendor been involved in litigation that casts doubt on its ability to provide the services in the manner required by the bank? Is the vendor aware of any bank regulatory requirements and other legal requirements relating to its goods or services?

Depending on the financial institution's risk analysis, it should consider on-site visits. If the vendor is geographically distant, will that distance affect the cost or quality of service? Financial institutions should also analyze the vendor's operations and controls. Some questions to be ask include:

What are the vendor's security precautions concerning the bank or bank customer's confidential information? What are the service provider's standards, policies, and procedures relating to internal controls, record maintenance, background checks on employees, and physical security of its operations? What kind of internal audit is performed at the vendor? Are there internal audit reports or internal control evaluations available for review by the bank? Does the vendor have contingency plans in place? Are those plans adequate?

In performing its due diligence, the financial institution must consider the financial condition of the vendor. It should analyze any available audited financial statements. If audited financial statements are not available, the vendor's most recent and year-end balance sheet and income statements should be examined. If adequate financial information is not available for the vendor, the lack of information should be considered a risk in the assessment of the vendor. In addition to financial information, the existence and adequacy of insurance coverage should also be questioned. Does the vendor have fidelity bond coverage, liability coverage, fire, data loss, document protection, and other coverage in amounts deemed adequate for the services the vendor is to perform? Will the bank's contract with the vendor require the vendor to make additional investments in personnel or equipment? Can the vendor easily absorb any such additional investment? Step Three: Documenting the Vendor Relationship Contract Issues A strong contract with a significant vendor is essential to properly managing the relationship. Even relationships with vendors that provide low-risk services can, and often should, be defined in simple form contracts. All contracts should be in writing and, to the extent applicable, should cover expectations and responsibilities, the scope of work and fees, type and frequency of reporting on the status of work involved, process for changing scope of work, ownership of any work product, an acknowledgement that the vendor is subject to regulatory review, privacy and information security, a process for ongoing monitoring, and supervision and dispute resolution. Legal counsel should review all significant contracts. A common problem with many vendor contracts is that the expectations and responsibilities of the vendor and the financial institution are not adequately communicated. When problems develop, resolution becomes very difficult, as each party insists that the other is responsible. The scope of services to be performed should be carefully addressed in the contract. Scope should, at a minimum, include:

Services to be performed by the vendor Responsibilities of the financial institution

Timeframes Implementation activities Details concerning fees The financial institution's responsibility for expenses incurred by the vendor

Performance standards should likewise be included in the contract. What tolerance does the financial institution have for errors? If the contract is a technology contract, a service level agreement (SLA) is essential. An SLA will establish the performance standard and service quality expected under the agreement. For each service covered by the SLA, it should provide for an acceptable range of service quality, a definition of what is being measured, a formula for calculating the measurement, and penalties (or credits) for meeting or exceeding targets. Vendor contracts must also include references to the financial institution's right to monitor the performance and condition of the vendor. It should require the vendor to submit appropriate reports, including financial reports, audit reports, and internal control reports, depending on the risk assessment for the subject of the contract. The term of the contract is another essential factor. The regulators are increasingly clear that they are concerned about the use of long-term contracts, especially in technology agreements. Technology changes rapidly and financial institutions need the flexibility to change providers if the chosen vendor fails to keep up with current practices. Step Four: Ongoing Supervision and Monitoring of Vendors A financial institution must provide in its contracts for the ability to monitor vendors during the term of the contract. To adequately supervise a vendor, an officer must review and be accountable for the performance of the vendor. How much supervision is required is, of course, dependent on the institution's assessment of the risk of the particular service being provided. The staff assigned to oversee each vendor should have the necessary expertise to do so appropriately. Monitoring and supervision should include ongoing (at least annual) review of the vendor's financial condition and insurance coverage, including a verification that the insurance coverages represented to the bank are in force. The vendor's policies relating to internal controls and security should be reviewed and some method of determining whether the vendor is following such controls should be developed. Review and monitoring also requires an assessment of whether the third party has provided services in accordance with representations made in the contract and in accordance with applicable regulations and laws. The vendor's contingency plans should be reviewed to be certain that they remain in place and have been adequately tested.

Document, Document, Document The true purpose of a vendor management program is to maintain quality vendors and quality relationships with those vendors to operate the financial institution efficiently and well. In addition to that purpose, each financial institution must prove to its regulator that vendors are managed efficiently and well. As compliance officers know, to satisfy regulators, documentation is paramount. Document the risk analysis engaged in at the time a decision is made to engage a vendor. Document the due diligence performed. Require effective contracts and maintain up-to-date versions of the contracts (complete with all amendments) in a place where the bank and examiners can easily review them. Document the process of monitoring and reviewing each vendor's performance. Report significant vendor relationships to the board of directors on at least an annual basis. Vendor management is complex and indeed cumbersome and annoying. Properly implemented, however, it can save the financial institution money, loss of reputation, failing to provide core services in a quality manner, and regulatory headaches. This story was written by staff at The Point for Credit Union Research and Advice. Reprinted with permission.