As CIOs juggle a ton of new risk management requirements including security, BSA and disaster recovery, they also have to contend with a growing number of vendor relationships. Even the smallest bank can deal with dozens of vendors, each of which potentially represents major risks to the institution.
Regrettably, vendor management is virtually non-existent at many institutions, consisting only of regulator-provided templates that sit unused. At a recent CIO roundtable I attended, the topic of vendor management iced down the room. Very few had best practices to share. It seems vendor management initiatives are being out-prioritized, landing at the bottom of most project queues. With auditors beginning to push the issue, it’s increasingly important that bankers keep apprised of regulatory requirements and share emerging best practices.
One driver bringing vendor management to the forefront is the accountability being placed up the ranks. Board members who were invisible before are suddenly center stage as they realize the responsibility of regulatory accountability. The days of vendors wining and dining the board or senior management to win deals are fading as regulators keep a close watch on how and why vendor decisions are made, especially on large projects like core.
The bank cops actually got it right this time and in many ways have been the leading pioneers in much of the efforts around structuring of sound vendor management strategies. In my experience with core systems selections, it’s become very clear that a well documented and comprehensive selection process is worth its weight in gold when the need arises to satisfy the auditors.
At Gonzo’s flagship, Cornerstone Advisors, we believe a formal process is critical when choosing new systems. The idea is to provide the tools necessary to make sound, non-emotional decisions based upon factual and relevant data gathered during the selection process.
Of course, the million dollar question is, “What data is relevant?” Unfortunately, guidance from the regulators has been somewhat vague. When selecting a service provider, regulators are pushing a three-stage approach:
Stage 1: Risk Assessment
Guidelines: Complete a risk assessment to identify needs and requirements.
Best Practices: Complete a needs assessment that identifies long and short term strategies and business objectives and define specific functional business requirements essential for delivery. Next, analyze where those needs are and are not being met by current technology providers. Sounds easy, right? Senior management then has the difficult task of determining if the deficiencies are worth a change. This is more of an art than a science, but regulators look favorably on the thought process that went into the decision.
Stage 2: Selection Process
Guidelines: Complete “proper” due diligence to identify and select a provider.
Best Practices: Identify metrics for which the decision making process is centered. At Cornerstone, we divide the decision into five categories (functionality, risk, vendor strength, architecture and price) covering the major areas regulators have in focus. Each of these categories is weighted upfront and rated throughout the process. Next, make a list of vendors that are financially viable and can meet the strategic needs identified in the risk assessment. If you’re not sure which vendors meet these criteria, you’re not alone. Get some outside help or talk to other institutions with similar strategic goals. Once the vendors are identified, the real work begins. The due diligence process must be well documented, and commitments made by the vendor during this period ultimately need to be integrated into the contract agreements.
Stage 3: Contract
Guidelines: Execute a contract that clearly outlines duties, obligations and responsibilities of the parties involved.
Best practices: Gonzobanker has shared our thoughts many times regarding best practices in contract negotiations. Here is a quick list of topics that need to be included from a regulatory standpoint:
Formulate a Vendor Management Plan
It’s important not to over-engineer the vendor management plan. Don’t create a 500 page encyclopedia that is so detailed no one reads or understands it. Instead, focus on the processes and information that will actually help manage vendor relationship, not just “appear” compliant with regulations. Follow these steps to create a basic vendor management plan:
For the last several years, we’ve been inundated with privacy and security mandates from SOX, GLB, BSA, FFIEC, and so on. Billions have been spent on compliance centered on protecting customer information and providing for safety and soundness. And unfortunately, there’s no end in sight to the continued pressures from regulators. Vendor management has been on CIO minds for some time now, but most banks haven’t put a strong enough program in place. Implementing even a basic vendor management strategy should keep the regulators off your back and hopefully provide some business value as well.
-ew
Whether inventorying your infrastructure, assessing your current vendor relationships or looking to choose a new data processing system provider, you can count on Cornerstone Advisors’ unmatched vendor experience to guide you in making educated technology decisions.
From systems evaluation to vendor selection to contract negotiation to conversion oversight, Cornerstone has done it all – and we’ve done it many, many times.
And we take it very, very seriously.
Tell us your needs and we’ll talk.
Cornerstone Advisors
Where Strategy Meets Execution