Financial institutions have outsourced certain functions for decades. But as vendor partnerships grow in complexity and in volume, evaluating third-party performance, assessing related risk and monitoring those risks become more challenging. Likewise, the stakes of failing at vendor management are escalating as risks become more dynamic, and more numerous.
It’s important to do what’s best for your organization, and that means managing vendor relationships meticulously. Here are four tips to help you navigate this convoluted but crucial process effectively.
- Segment vendors into risk tiers
Vendor relationships were traditionally indexed by size, according to McKinsey & Company. But size is an inadequate indicator of risk. Small vendors can pose big risks, which means the old way can easily result in third-party oversights. A better option is to segment vendors according to the nature of the risk they pose. To get started, rank vendors according to:
- Criticality: Who is the vendor and how important is it to operations?
- Confidentiality: What data or physical access does this vendor have?
These ranking systems make it easier for financial institutions to more clearly define vendors, and then slot them into accurate risk tiers. When the time comes for due diligence, higher-tier risks from smaller vendors are less likely to be overlooked. Alternatively, making sure certain due diligence actions are only applied where actually needed can save 40 percent on time and labor costs, according to McKinsey & Company.
- Automate due-diligence functions
According to the FDIC, an examiner “evaluates activities conducted through third-party relationships as though the activities were performed by the institution itself.” The FDIC adds that even financial institutions with indemnity clauses are still required to conduct banking activities “in a safe and sound manner and in compliance with law.” If a vendor fails to do either of those things, so does the financial institution as far as examiners are concerned. For this reason, due diligence is the heartbeat of vendor management.
One way financial institutions can improve this process is by automating certain parts of due-diligence monitoring. For starters, use FFIEC-based due-diligence templates that can be customized as needed. Then, take this a step further by integrating these templates with a task manager. This makes it easier to track the status of required and recommended due diligence items for each vendor. If something changes with a vendor between assessments – maybe there’s a new point of contact or a contract adjustment – you can automatically apply new due-diligence items in this central framework. Everything stays in, and is managed through, one place.
Strong vendor management is about consolidating information to make processes more automatic.
- Streamline document tracking
Ongoing due diligence requires the collection of hundreds if not thousands of documents. These include third-party certifications, SSAE-16 and SSAE-18 reports, job descriptions for certain vendor personnel, escalations reports (more on this below) and much more.
This is only the tip of the iceberg. Contracts and any other documentation pertaining to changes in SLAs and cost adjustments must also be organized and tracked over time. Likewise, information about incidents that could impact contracts going forward need to be well-accounted for.
To facilitate stronger tracking and record keeping, documentation should be centrally stored and organized, rather than filed away in scattered computer folders. This can help prevent things from slipping through the cracks.
- Structure escalation reporting
Establishing a method to report up the ranks is critical to expediting high-level decision-making. This process needs to be formal and well-documented to avoid discrepancies in what may end up being reported to executives, or to managers in business units that may not be well-aligned with one another.
Again, creating a centralized vendor management framework is key to this endeavor. It ensures that reports can be created so that they’ll reflect the same information. The reports that are then escalated to departmental executives will be consistent and accurate, allowing for swift, effective action to be taken at a high level. Having this paper trail is also important for justifying certain actions or allowances for particular vendors to examiners. It also has the tangential benefit of contributing to a stronger, organization-wide risk culture from the bottom up.