The instruction came from above, and there is no escape from it: You are responsible for your organization’s vendor management process.
You have seen the guidance. You know it’s a big job. But where to start?
Vendor Management is the process of continuously assessing the risk to your entity by a third-party vendor and its subcontractors. It relies on procedures, policies, and tools to monitor and mitigate those risks. It also ensures that vendor risk is commensurate with the risk appetite of the risk institution, and vendor management manages each stage of the process lifecycle.
1. Decide who to invlove in your Vendor management plan
Just because you’re in charge of vendor management doesn’t mean it’s entirely your responsibility. As Vendor management touches almost every single department and business line, successful vendor management requires both board and management oversight.
The board approves important vendor agreements, documenting how it reached that decision. There must also be evidence that significant vendor agreements are overseen and reviewed by the board and that any substantial changes to the program occur. Management is responsible for examining Seller’s period of operation to ensure that Seller controls the risk and lives up to the contract terms.
It may be helpful to have department heads oversee their vendors and report important information. But, it may be best for you to take the lead, and each institution will have its own approach.
The important thing is to ensure that vendor management is not silent. Various departments and business lines cooperate to make sure vendor management is all-inclusive.
2. Choose a central location for vendor-related data
Vendor management requires collaboration, and that means having a single place where all policies, procedures, and documentation are accessible. If you make it easy to find a system with up-to-date information and a clear audit trail, you’ll save yourself many headaches down the road. You must keep the documents relating to contracts, business plans, risk analysis, due diligence, and oversight activities, including board and committee reports for a certain amount of time.
3. Identify your vendors
If your institution doesn’t have much of a vendor management process in place right now, chances are there isn’t a master list of vendors. Thus you need to hunt down contracts and vendor agreements. The bad news is that these are likely to spread across the institution in various computers, file folders, filing cabinets, offices, and branches. Don’t forget to check with Accounting for a list of invoices over the past year or two. You can uncover vendors with lost contracts.
4. Review contracts
Once the contracts are in place, look through them to see what services each vendor provides and when the contract expires. Furthermore, pay attention to duplicate services, expiration dates, and auto-renewal. Pay attention to provisions promising reports, audit results, and other notable documentation.
Also, see pricing information. For instance, if a contract is more than a few years old or it auto-renews, it’s possible that your organization can renegotiate it, saving money and making you look like a vendor management rock star.
5. Identify critical, critical, or high-risk vendors
Different agencies use different terminology, but it all comes down to the same thing. That’s because a critical/critical/high-risk vendor is a vendor that performs or provides critical functions or services, including payments, lending, deposits, clearing, or IT. it also includes those who:
- If they fail to meet expectations, there may be a significant risk to the organization or a significant impact on customers.
- Requires significant resources to implement, manage or bring about in-house.
- Touch-sensitive customer information
- May materially affect earnings, capital, or reputation
Identifying high-risk vendors is essential as they present a great risk to your organization. If the person mowing the branch goes out of business, that’s an inconvenience. If your mobile banking provider gets hacked, you have a real problem on your hands.
Develop a benchmark to identify vendors because nowadays many institutions use Critical, Moderate, and Low, but others prefer a more gradient.
6. Do the due diligence
You have a list of low, medium, and essential vendors. You know what kind of documents they are going to provide you. It’s time to collect them. So always remember to locate the documents you’ve promised, and set alerts to notify you of any developments related to your vendors, such as financial trouble, lawsuits, legal or regulatory difficulties, reputation issues, and more.
Due diligence should be done before the contract is signed and throughout the duration of the relationship. But not every Seller requires the same diligence. Focus your efforts on the important vendors as they pose the most risk. Things to see include:
Financial Status: Audited financial statements, filings, annual reports, litigation, etc.
Business Approach: Does It Use Subcontractors? How well are they supervised?
Internal Controls: What types of internal controls, system and data protection, and privacy protections does the vendor have? Does it have audit coverage? What are its business resumption, continuity, and contingency plans? How strong is its management information system? Does it have insurance coverage? What are its underwriting criteria?
Marketing: How will the Seller use the organization’s name on content and websites?
7. Risk Assess Your Vendors
Risk assessment is a broad practice that includes everything from an institution’s holistic approach to enterprise risk management (ERM) to the special elements of resources available to identify, manage and mitigate risk.
First, you need to understand the risk appetite of your institution. The board determines the risk appetite as part of the strategic plan. It is important to consider whether the costs, benefits, and risks of working with a third party are commensurate with the institution’s comfort zone and overall strategy. Potential risks include operational, transactional, compliance, reputational, financial, and cyber security risks.
This usually includes measuring and scoring two major forms of risk: implicit risk and residual risk.
Implicit risk scores represent the level of risk an institution would face if controls were not in place to reduce it. For example, think about the risk of a cyberattack if the institution has no defenses. The institution will likely be attacked, and this can have a huge impact.
This is about the risk that remains after you consider the control factors. Residual risk is greatest when the underlying risk is high and controls to reduce risk are not effective. It decreases when control is in effect. In the case of a cyber breach, this risk remains even after considering preventive measures such as firewalls and intrusion detection tests.
To measure residual risk, it is necessary to determine how effective the controls are. It comes down to two factors: the effect of the control and how likely it is to work. For example, a firewall may be necessary to keep hackers out as it covers the entire institution. Updating virus protection on a single computer has little effect.
It may be overly cautious about labeling every risk as a significant or high risk. But it is a terrible idea. If each risk is labeled with the highest possible risk level, the board will not know where to deploy the resources. High residual risks should be addressed more frequently and their control effectiveness should be reviewed more aggressively.
Sellers with the highest residual risk will need the most attention.
8. Engage in ongoing monitoring
The threat landscape is constantly changing. That’s why it is important to assess the effectiveness of controls to understand whether your third-party vendor is performing as expected. Controls should be tested regularly, and the entity must track whether vendors are meeting service-level agreements, performance metrics with legal and regulatory requirements.
This current due diligence should monitor service quality, risk management practices, and financial reports. The results, along with the institution’s policies and procedures, are to help you decide whether a vendor needs to be terminated or placed on probation.
9. Track the findings
Findings from the inspection process should be reported to the Board or Committee from time to time. This is especially true for vulnerabilities, which must be identified, documented, and fixed quickly. Someone has to be accountable for complying with the system to ensure that nothing falls through the cracks. But if you don’t have to keep one of your employees busy for that because RMPro can take that off your burden. It’s a perfect software solution for that by tracking your vendors 24/7 and sending you full-detailed and brief reports.
10. Negotiate contracts
Contracts are more than pricing agreements; they are important documents that outline the terms and conditions. It is essential to have policies and procedures in place to negotiate strong contracts that protect your institution’s best interests.
These items should be easy to understand and track more than a checklist of essentials in a written agreement. They also need to be specific and detailed to provide measurable benchmarks. The board must sign contracts with essential vendors.
The contracts should outline the rights and responsibilities of both the seller and the financial institution. Also, topics should include confidentiality, dispute resolution, subcontracting, business continuity and contingency plans, frequency of data reports and audits, data privacy, and intellectual property ownership.
These 10 steps help you develop a well-organized vendor management process. So instead of struggling to figure out massive third-party collections, you’ll have a clear path to getting your vendor management home in order.