Vendors—we all need them! Vendors are a crucial component to the success of any business. Vendor Management has become a regulatory hot button for bank regulators. But vendor management applies to any business—for profit or nonprofit, private or public organizations, up to the government. Every company utilizes vendors in order to fulfill their mission as an organization and provide their clients what they need. This is because no one can work alone and not depend on anyone else and not one person or company can do it all. We all depend on each other to survive—locally and globally.
Vendors have the huge responsibility to provide their clients what they promised—to deliver on their brand. Each company also has the immense responsibility to vet and do their due diligence on each vendor they partner with. Every function a company outsources to a vendor is a key factor in the overall success of that company. Therefore, each vendor has to be chosen carefully.
In banking, Vendor Management is part of the IT Security Program, which in turn is part of the Enterprise Risk Management (ERM) Program. At the same time, ERM should be integrated into the bank’s overall Strategic Plan. Banks need to have strategies to mitigate all the risks that come from every area and Vendor Management is one of them. In today’s business environment, however, every company regardless of what they do needs to have a Vendor Management Program in place.
The simplest way to establish a Vendor Management Program is to start with a Vendor Management Risk Assessment. Below are three key components of a risk assessment:
Criticality of vendor to the organization: How critical is this vendor to your operations? Can they be easily replaced? Risk rate each vendor 1 to 5, where 5 is the most critical vendor. Example: your core system vendor is a level 5 in Criticality because a bank cannot run without it. Your shredding company, on the other hand, is a level 1 in Criticality because they can easily be replaced.
Confidentiality of information: What type of data does this vendor have access to (public, non-public or confidential)? What are the consequences if the information they have gets out? Your bank’s core system is a level 5 in Confidentiality because they have access to all your client confidential data. Your shredding company is also a level 5 in Confidentiality because they too have access to all your client confidential data on paper.
Threat/Vulnerability of vendor: Is this vendor financially stable? What are the chances of this vendor existing in the future? If not, do you have a backup vendor to perform this function? The best example I have here is the Accounts Payable vendor we used at my previous bank. The company suffered an irreparable system crash to the point of shutting down the company! They gave us 30 days to figure out how we would pay our bills. Thankfully, we did have a backup company and switched all our vendors/bills to them. However, the pain we went through could have been avoided if we knew this company’s financial state and their disaster recovery plan (or lack of, in this case).
Once you complete a risk assessment, the next steps are to establish mitigating factors, recognizing the residual risk of each vendor, and have a backup plan for each one. The Board of Directors should approve your Vendor Management Program as part of the overall IT Security Program and ERM and it should be documented in the Board meeting minutes. This shows the regulators and auditors you are serious about knowing your vendors and are aware of the risks each vendor poses to your organization. Do not wait until you have a vendor crisis or worse, until your data is out and you face a huge reputational risk. Having a solid Vendor Management Program is key to the success of a bank—or any business!
At Malzahn Strategic (www.malzahnstrategic.com) we work with banks that want to increase their profitability by improving their operational efficiencies. We focus on Strategic Planning, Enterprise Risk Management and Talent Management. Vendor Management is part of Enterprise Risk Management and we can help you establish a solid, yet simple, program. We also partner with vendor management software companies, like NContracts, to help your organization manage the Program on an ongoing basis.