<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1490657597953240&amp;ev=PageView&amp;noscript=1">
BACK
All Solutions
Contract Negotiations
Digital
Enterprise Program Management
Fintech Advisory
Mergers and Acquisitions
Performance
Strategic Planning
Transformation
Vendor Management
Executive Education
Podcasts
GonzoBanker Blog
Events and Webinars
Research Reports
Speakers
Analytics Vault
Contract Vault
Performance Vault
Vendor Vault
Case Studies
Testimonials
Careers
In The News
Media Inquiries
Our Purpose & Values
Our Story
Our Team
Press Releases
Core Processing

Manage That Vendor!

Eric Weikart
February 16, 2007

As CIOs juggle a ton of new risk management requirements including security, BSA and disaster recovery, they also have to contend with a growing number of vendor relationships. Even the smallest bank can deal with dozens of vendors, each of which potentially represents major risks to the institution.

Regrettably, vendor management is virtually non-existent at many institutions, consisting only of regulator-provided templates that sit unused. At a recent CIO roundtable I attended, the topic of vendor management iced down the room. Very few had best practices to share. It seems vendor management initiatives are being out-prioritized, landing at the bottom of most project queues. With auditors beginning to push the issue, it’s increasingly important that bankers keep apprised of regulatory requirements and share emerging best practices.

One driver bringing vendor management to the forefront is the accountability being placed up the ranks. Board members who were invisible before are suddenly center stage as they realize the responsibility of regulatory accountability. The days of vendors wining and dining the board or senior management to win deals are fading as regulators keep a close watch on how and why vendor decisions are made, especially on large projects like core.

The bank cops actually got it right this time and in many ways have been the leading pioneers in much of the efforts around structuring of sound vendor management strategies. In my experience with core systems selections, it’s become very clear that a well documented and comprehensive selection process is worth its weight in gold when the need arises to satisfy the auditors.

At Gonzo’s flagship, Cornerstone Advisors, we believe a formal process is critical when choosing new systems. The idea is to provide the tools necessary to make sound, non-emotional decisions based upon factual and relevant data gathered during the selection process.

Of course, the million dollar question is, “What data is relevant?” Unfortunately, guidance from the regulators has been somewhat vague. When selecting a service provider, regulators are pushing a three-stage approach:

Stage 1: Risk Assessment
Guidelines: Complete a risk assessment to identify needs and requirements.

Best Practices: Complete a needs assessment that identifies long and short term strategies and business objectives and define specific functional business requirements essential for delivery. Next, analyze where those needs are and are not being met by current technology providers. Sounds easy, right? Senior management then has the difficult task of determining if the deficiencies are worth a change. This is more of an art than a science, but regulators look favorably on the thought process that went into the decision.

Stage 2: Selection Process
Guidelines: Complete “proper” due diligence to identify and select a provider.

Best Practices: Identify metrics for which the decision making process is centered. At Cornerstone, we divide the decision into five categories (functionality, risk, vendor strength, architecture and price) covering the major areas regulators have in focus. Each of these categories is weighted upfront and rated throughout the process. Next, make a list of vendors that are financially viable and can meet the strategic needs identified in the risk assessment. If you’re not sure which vendors meet these criteria, you’re not alone. Get some outside help or talk to other institutions with similar strategic goals. Once the vendors are identified, the real work begins. The due diligence process must be well documented, and commitments made by the vendor during this period ultimately need to be integrated into the contract agreements.

Stage 3: Contract
Guidelines: Execute a contract that clearly outlines duties, obligations and responsibilities of the parties involved.

Best practices: Gonzobanker has shared our thoughts many times regarding best practices in contract negotiations. Here is a quick list of topics that need to be included from a regulatory standpoint:

  • Term and Termination
  • Service Level Agreements
  • Security and Confidentiality
  • Internal Controls – a SAS70 is not enough!
  • Ability to Monitor Compliance
  • Ownership and Licensing Rights
  • Dispute Resolution
  • Indemnification
  • Limitations of Liability
  • Business Resumption and Contingency Planning
  • All Related Costs

Formulate a Vendor Management Plan
It’s important not to over-engineer the vendor management plan. Don’t create a 500 page encyclopedia that is so detailed no one reads or understands it. Instead, focus on the processes and information that will actually help manage vendor relationship, not just “appear” compliant with regulations. Follow these steps to create a basic vendor management plan:

  • Have a common process – Define a simple process that every department must adhere to for reviewing existing and selecting new vendors.
  • Have an owner – Appoint an internal position that is responsible for enforcement to these policies – the compliance officer or the project management leader are good candidates.
  • Develop the database – Identify all current vendors no matter what type of relationship and build a consolidated database of vendor information. Be sure to include relevant contact information and contract milestones and develop a tickler report that is reviewed by the CIO. Also, maintain a tracking of vendor information such as financials, SAS70 reviews and recent corporate news announcements.
  • Utilize a simple risk rating framework – Define three to five categories of risk based on vendor access to sensitive customer information and how vital the service provider is to daily operations. Questions to ask when categorizing include:
  • Risk rate each vendor – Rate each of your current vendors accordingly. Riskiest providers include core, Internet banking, data communications and ATM/debit.
  • Keep the process active – Define oversight responsibilities for each risk category focusing more management of the most risky vendors.

For the last several years, we’ve been inundated with privacy and security mandates from SOX, GLB, BSA, FFIEC, and so on. Billions have been spent on compliance centered on protecting customer information and providing for safety and soundness. And unfortunately, there’s no end in sight to the continued pressures from regulators. Vendor management has been on CIO minds for some time now, but most banks haven’t put a strong enough program in place. Implementing even a basic vendor management strategy should keep the regulators off your back and hopefully provide some business value as well.
-ew

Managing vendors is serious business

Whether inventorying your infrastructure, assessing your current vendor relationships or looking to choose a new data processing system provider, you can count on Cornerstone Advisors’ unmatched vendor experience to guide you in making educated technology decisions.

From systems evaluation to vendor selection to contract negotiation to conversion oversight, Cornerstone has done it all – and we’ve done it many, many times.

And we take it very, very seriously.

Tell us your needs and we’ll talk. 

Cornerstone Advisors 
Where Strategy Meets Execution