Regulators continue to add to the already mile long list of risks bankers need to monitor. As if there’s not enough to deal with given our current economic instability, now the regulators have begun scrutinizing banks’ vendor management policies. Many banks got in the habit of ignoring available guidance due to the lack of enforcement. Friends, those days are over.
This is not necessarily a bad thing. The regulators are looking out for the banks’ best interests, right? I tend to agree with them in this case. In my travels, I’ve had a hard time finding a poster child for vendor management success. Oftentimes I see banks overpaying, missing important contract dates, and ignoring the myriad risks inherent in dealing with third party vendors. Let’s face it – the state of vendor management in the banking industry is below par.
With the increased regulatory pressures and a corresponding vendor management deficit, I think a Gonzo vendor management aptitude test is in order.
Directions: To determine your bank’s vendor management readiness score, read each of the questions below and pick the letter that most fits your institution.
1. How long will it take to produce a list of all vendors that includes a risk rating, important contract dates (notification/termination dates), financial summary, legal matters, etc.
a. 10 points – within the hour. Most of senior management could query our SQL database and pull up all of the information requested.
b. 5 points – within a day. Although we rely on our report query guru in IT, a report could be generated that includes all the requested information.
c. 0 points – within a week. Most of the information is tracked via an Access database somewhere on one of the shared drives. A call would need to be made to Freddy, our in-house counsel, who is supposed to track all this.
d. –5 points – unknown. We have no formal tracking mechanism. We rely on each of the vendors to store our contracts and make us aware of any upcoming contract dates, material changes in financial condition, legal issues, etc.
2. How often do you monitor your vendors’ financial status and any service levels that were negotiated?
a. 10 points – Our review period is dependent on the vendors’ overall risk to our institution. For example, high risk vendors like our core provider, ATM/debit processor, Internet banking vendor and others that have access to our customer information are constantly monitored and each quarter we ask for detailed financial statements, wins/losses and a report that outlines any failed service levels. This information is shared with the business lines and senior management for their sign off. Also, each of our vendors is required to send us an annual SAS70, which is reviewed and stored in our document imaging system.
b. 5 points – Each year, our accounting department is responsible for reviewing the financial strength of our high risk vendors. Nothing is done for our lower risk vendors like cash dispensers, in-house software for marketing, profitability, etc.
c. 0 points – We have no formal procedures for ongoing monitoring and reporting of our vendors.
3. When performing due diligence before selecting new vendors…
a. 10 points – Our bank includes all interested business lines in the process and reviews at least three alternatives, especially in larger, higher risk projects. A detailed requirements document is formulated and sent to each vendor for a formal response. An unbiased, unemotional decision is made based upon a mixture of functionality, vendor strength, risk, price and technology. We typically hire a consultant or have a dedicated in-house expert for larger projects.
b. 5 points – Most of the time, all relevant business lines are included in the search and selection of a provider. Sometimes we have projects that are run by the business lines, and a contract is signed before IT has reviewed the requirements to support the application. Typically, we use functionality and price as major drivers of selecting a new provider, but occasionally, a risk review of the vendor is conducted and weighs into the decision.
c. 0 points – IT runs all of our selection projects and sometimes picks vendors without asking the business lines for input. Usually the vendor that sends a good looking sales rep who wines and dines us wins our business. The more expensive the wine, the more likely we are to buy all the bells and whistles. If we have to go to a tie-breaker, the vendor with the best demo giveaway gets our business. Last year, we picked a CRM system for our retail group because the vendor gave each of the IT staff a Wii. Come to think of it, those darn branch folks are still not using the system because they think it’s too complicated … it only takes five minutes to do a referral.
4. When comparing prices of vendors during the selection process…
a. 10 points – We usually include instructions in the RFP that lay out all required functionality and any needed interfaces. Usually, vendors don’t follow the instructions so we follow-up with them individually to make sure we’re comparing “apples to apples”. We always ask the vendors to provide the lowest price upfront as they may not have a chance to reduce again before they get tossed. In most cases, we model costs for five years that include any upfront costs for software license, implementation or hardware. Also, ongoing maintenance and other costs related to upgrades, cost of living and growth in accounts, assets, users, etc. are modeled.
b. 5 points – We typically cut the number of vendors before we ask for a price. Functionality is usually the driver in the selection and price is negotiated after we’ve selected one or two finalists. We develop a spreadsheet that includes all the one-times and ongoing maintenance costs. We usually don’t account for growth or cost of living adjusters. A few times we’ve been burned because we didn’t purchase all of the modules we needed.
c. 0 points – If we include more than one vendor, we will look at the two proposals side by side and go with the lowest quote, not factoring in whether they are comparable. In the last Internet banking selection, the winning vendor was cheaper by $100,000. We didn’t realize the interfaces for Quicken/QuickBooks, bill pay, check order and cleared checks as well as capabilities for multi-factor were extra. These added up to more than $200,000.
5. Regarding your overall vendor management strategy…
a. 10 points – Our bank has a well-documented plan that includes procedures to follow when selecting a provider, internal controls are in place to ensure compliance and oversight, and ongoing monitoring and reporting is completed. The plan is constantly revised as the organization changes in size and complexity and regulatory guidance is updated.
b. 5 points – Our bank has a plan that covers all regulatory guidelines that were given to us in our last exam. We follow the policies for all high risk vendors (core, Internet banking, ATM/debit, datacom, etc.), but some rogue business lines still do not comply with all of the rules and run projects without including all relevant business lines.
c. 0 points – The regulators told us we need to formalize our vendor policies and procedures, and resources have been allocated to complete it.
d. –5 points – We treat all of our vendors the same regardless of risk, we have no service level agreements, and we usually rely on the vendors to inform us of any upcoming contract dates.
BONUS QUESTION: What movie title best describes your vendor management strategy:
a. 10 points – I am Legend. Our bank’s vendor management program is top notch and a best practice all financial institutions should follow.
b. 0 points – The Illusionist. While the regulators bought the story, in practice we really don’t follow the guidelines when justifying the need to use a third party, during the selection process or ongoing monitoring.
c. –10 points – Superbad. It speaks for itself.
Now, add up your score.
>50 – Congratulations, your bank is in the top tier of the industry. Let me know the person in charge of your vendor management strategy, I promise I won’t offer them a job
30 – 50 – Nice work, your organization is above most in the area of vendor management. While some work needs to be done on updating your plan, the regulators are probably comfortable with what you’re doing. There may be some cost savings related to contract renegotiations with current vendors.
15 – 30 – OK, you are very typical. It’s time to step up your vendor management plan. My guess is your vendor costs are probably higher than peer and there are several third party software applications that are not being used as effectively as they could be.
< 15 – Let’s face it, you need help. If you haven’t yet, formalize a vendor management strategy and either hire a consultant or dedicate a full-time employee that can get the job done by researching regulatory guidance and talking with other banks that have a formal vendor management strategy
Regulators continue to focus their efforts on evaluating banks’ overall risk mitigation strategies. One key area of focus this year is on third party vendor risk. Unfortunately, this is an area where banks have historically been lax in a clear strategy. Implementing a formal vendor management plan that incorporates both regulatory guidelines and business best practices will yield business and financial benefits while keeping the regulators at bay. Hopefully, you can use some of the best practices outlined above to tweak an existing plan or begin to implement a formal vendor management policy.
-EW
