In its simplest form, vendor management is the process of overseeing third-party service providers who work for your organization, from beginning to end. This process can take many forms, but is most often composed of these five elements:
- Planning and Risk Assessment
- Due Diligence and Selection
- Contract Structure and Review
- Oversight and Monitoring
This article will briefly describe what to expect for each part of the process. As the financial industry is highly regulated and considered relatively mature when it comes to vendor management, this article uses bank and credit union regulatory references to back-up these recommended best practices.
Planning and Risk Assessment
A foundational element to vendor management is planning and risk assessment. This is the part of the process where you answer the questions: "Do we need a vendor? If so, what risk is our organization taking on by outsourcing a particular service?"
Do we need a vendor?
Before selecting a new service provider, your organization should define business requirements to help determine if outsourcing is the right decision. According to the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook, Outsourcing Technology Services Booklet:
"The definition of business requirements sets the stage for all outsourcing actions and forms the basis for subsequent management of the outsourced activity […]. The requirements definition phase should result in a detailed document containing descriptions of the institution's expectations relative to the outsourced service." (Pages 6 – 7)
As you define business requirements for a new service, consider using these questions as a place to begin the conversation: Defining Business Requirements.
What risk is our organization taking on by outsourcing this service?
If you determine outsourcing is the way to go, consider the risk your organization assumes by outsourcing this particular service.
Each of the federal agencies (i.e., FDIC, FRB, OCC, and NCUA) have published their own guidance on types of risk to consider; see the "Resources" section at the end for links. While there are minor variations, some core risk types to consider include strategic, operational, transaction, credit, compliance and legal, and reputation.
Due Diligence and Selection
Once the decision has been made to outsource service and you have conducted a risk assessment, the next step is to perform due diligence and selection.
According to the FFIEC's Outsourcing Technology Service Booklet:
"A financial institution should generate [a request for proposals (RFP)] from the information developed during the requirements definition phase. […] A financial institution should perform due diligence on the service provider's response to an RFP as well as the service provider itself. Due diligence should serve as a verification and analysis tool, providing assurance that the service provider meets the institution's needs." (Pages 9 – 10)
In other words, ask your prospective vendors if they will meet your business requirements and request documentation to validate. An easy and efficient way to gather documentation is by using the "If-Then Method."
Learn more about this topic here: Four Steps to Simplify Your Vendor Due Diligence Process.
Gathering the documentation is only half the battle. Each document should be reviewed to ensure the contents are understood. Use some of our review templates to improve your review process:
When finished reviewing the gathered due diligence, the selection process frequently depends on the answer to this question: "Which of these vendors best meet the organization's business requirements?"
Contract Structure and Review
The final step before engaging a vendor is to ensure the service provider's contract addresses what your organization needs. It is wise, and at times necessary, to involve legal counsel to assist with the review.
It is important to know and define things like requirements, expectations, and service level agreements prior to entering a relationship with a vendor, as it may be impossible to change them once the contract has been signed.
Oversight and Monitoring
Once the contract has been signed, it is your responsibility to ensure the vendor continues to meet the financial institution's business requirements. According to the FFIEC's Outsourcing Technology Services Booklet, this could be done in two ways:
"Management should monitor service provider performance and potential changes in institution requirements throughout the life of the contract." (Page 18)
Monitor Service Provider Performance
When it comes to monitoring service provider performance, you can set yourself ahead of the game by doing two primary things:
- Rank the Relationship: Ranking the service provider relationship (e.g., Critical, Significant, Insignificant, etc.) can help you focus your time on the most important vendors.
- Schedule Reminders: Once you have ranked your service providers, you can schedule reminders to follow up with them. For example, you could review your "Critical" vendors annually, but your "Insignificant" vendors only every 18 months.
When it comes time to review your vendor's information again, the process is simplified. All you need to do is gather the vendor's updated due diligence documentation and review the new documents to ensure nothing has changed.
Monitor Potential Changes in Institution Requirements
As your financial institution grows and changes, there is a good possibility you may need to reevaluate the vendor relationship. You can determine this by reviewing your business requirements and asking if anything in the requirements either has already changed or needs to change. If so, update your documentation and ensure your vendor still meets the organization's needs.
Whether terminating a vendor relationship is voluntary or involuntary, your organization should have a plan for how to ensure the separation is smooth. This is often referred to as having a "termination contingency plan." If you must switch service providers, how will you do so?
Some questions to consider in your termination contingency plan include:
- Does the institution have an exit strategy?
- Does the contract have a cancellation clause? If so, what does it say?
- How can you get your data back from the vendor?
- What form will the data be in?
- Will any residual data be left with the third party?
- How long will the process take?
- Will transitioning away from the vendor result in any downtime?
Vendor management has a lot of moving parts, but if you have a standardized method, the process becomes much easier. A good software solution can help you work more efficiently if it includes the most important vendor management features. Check out our Tandem Vendor Management Software product to see how it can help you manage your third parties.
- Tandem Vendor Management Software
- FFIEC IT Examination Handbook, Outsourcing Technology Services Booklet
- FDIC Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk
- FRB Supervision and Regulation Letter 13-19 / CA 13-21, Guidance on Managing Outsourcing Risk
- NCUA Supervisory Letter 07-01, Evaluating Third Party Relationships
- OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance