Top 3 Questions:

Vendor Management

What financial institutions today are asking

about vendor management.

Top 3 Questions: Vendor Management

Top 3 Questions: Vendor Management

What financial institutions today are asking about vendor management.
Now more than ever, regulators are concerned about the risks associated with financial
institutions that use third-party vendors. Some regulators fear that third-party
relationships create more risks than financial institutions can identify, manage or control
on their own. These risks include not only threats to the financial institutions core
business, but also its customers security and financial well-being.

Because many third-party vendors are not directly subject to certain banking or financial
reporting requirements, they can often expose financial institutions to a variety of civil
or even criminal penalties. These types of issues have caused regulators to revisit their
previous guidance, giving reason for vendor management to take center stage, with a
very bright spotlight. With all of the hype surrounding vendor management, naturally
there have been many questions and misconceptions amongst financial institutions who
are interested in tackling the vendor management process. . . below are a few. . .

Question: Cant I just outsource the risk management process?

Answer: To put it simply, NO!
We all know that regulations are a painful necessity. It helps to remember that
regulation typically forms from the lack of or an ineffective business process. While
essential, they do place added frustration and burden on financial institutions to meet
compliance requirements that often seem daunting or irrelevant. As tempting as it may
be, you cant completely outsource the risk or responsibility for risk management.
However, once you begin to take a different look at vendor management and
understand that it is a strategic business process rather than a pain in the neck, youll
be pleased to find that there are significant benefits beyond satisfying regulation!
Things to consider:

Remember, Vendor Management is Not Just About Risk Management.

Vendor management is a business process that when done correctly can
lead to improved performance, better cost management and the obvious,
controlled risk. But, vendor management is not just about risk management.
In other words, if you are proactive and disciplined about managing your
contracts, paying attention to the quality of service you are receiving,
performing both upfront and regularly scheduled risk assessments and due

Top 3 Questions: Vendor Management

diligence, your risks will be significantly reduced. Tightly dovetailing your

controls and processes with your vendors can help fill the gaps and ensure
there is nothing to leave you vulnerable and open to risk. At the end of the
day, a true reflection of a strong vendor management program is decreased
business risk. You get there through adopting disciplines that become part
of the way your run your business day-to-day (not right before the
regulators walk in the door!).

Know the Difference Between Vendor and Product.

It is important to note that when evaluating risks, you need to focus at the
product level as opposed to just looking at the health of the vendor. You
may buy multiple products from the same vendor (i.e. core processing,
online banking, remote deposit capture, etc.). Each of these products, and
your specific deployment of them, has its own unique risk profile. Take the
recent Target data breach for example; after review by the PCI standards
committee, it was determined that there was no need to modify the
standards. The breach was caused by a failure to follow the vendors
recommended implementation of controls at the site of deployment
(Target). Many risks are introduced simply as a result of customers not
adequately implementing controls the vendors recommend. These change
over time, so you cant just evaluate them at the time that you implement a
product. To truly control the risk, evaluate the controls and monitoring
processes internally at least annually. Poor maintenance of controls, not
the actual system or software itself, is the root-cause of many a data
breach.

Use Outsourcing for Enhancement.

Just because you cant completely outsource the risk or responsibility for
risk management doesnt mean you cant utilize tools or outside services to
enhance your understanding. When it comes to the vendor management
process you cant just set it and forget it, but there are certain tools and
services you can use to supplement what youre already doing to manage
your risk. Outsourced tools can help you be more proactive and thorough by
automating the workflow involved in consistently instilling a discipline
within your business. These make sure you are reminded when you need to
take action, help you see the whole picture to make better informed
decisions and provide the high-level reporting you, your management team
and your board of directors need to be continually aware of your growing
number of third party dependencies. Services can help you to better
interpret your vendors audit reports, financial position, security documents
and contracts so, the responsibility is yours, but you are not in it alone.
Second opinions from experts can be a key element to your confidence in
overseeing these critical vendor relationships.

Top 3 Questions: Vendor Management

According to a recent survey, 33% of organizations have a budget that

supports tools and outsourced services to supplement vendor management
programs. Business executives and senior management are starting to
embrace the importance of vendor management to their overall strategic
business goals and objectives. While executive support is on the rise, which
is a great sign, many still dont have access to funds to invest in these tools
and services. If you dont have a
dedicated budget, it may still be
worth a look to understand
whats out there, and how
inexpensive it can be to get
started with your most critical
relationships. The most important
step is the first one, and there are
options that allow you to grow
into your process one step at a
time.

Question: We do our vendor due diligence, isnt that enough?

Answer: No. Due diligence is done upfront, before you enter into a
relationship. Things change.
Annual reviews are intended to give you a current understanding of your vendors
financial health, technology infrastructure and surrounding controls, as well as your own
implementation of controls that pick up where your vendors controls stop. The lack of
proper oversight of the products you rely on from your vendors can result in penalties,
legal actions and serious reputational risks for your institution. Thats why it is important
to obtain the most accurate and complete information about your third-party vendors
and their risk management processes not just upfront, but regularly for the duration of
the relationship.
We know that the initial due diligence
process itself can be time consuming and
taxing on your staff but it doesnt end
there. After the contract is signed you still
need to perform continual monitoring of
your vendor relationships. If you are not
engaging in vendor oversight on an
ongoing basis, you are putting yourself at
serious risk.
According to a recent survey, nearly 85%
of financial institutions have high or medium support and involvement from senior
management in regards to their vendor management program. This is yet another good
sign that as an industry, we are really starting to understand and that investment in a
good vendor oversight program is necessary and beneficial.

Top 3 Questions: Vendor Management

Things to Consider

Vendor Due Diligence is not Vendor Oversight.

While due diligence is critical to the beginning stages of vendor
management, whats even more important is your ongoing oversight and
monitoring activities. You will never have more leverage in your relationship
as you do at the very beginning stages of the due diligence process, so use it
to ensure your vendor agrees upfront to provide you with the
documentation you need to review regularly. This simple step can make life
much easier for you down the road. Consider vendor oversight as a light
version of due diligence that is performed periodically. Regular oversight
helps you regain some of the control that you had in the beginning of your
relationship and helps to keep your vendors aware of your needs, keeping
that deeper, more strategic conversation going on a more regular basis. The
result: you and your vendor will be better aligned, operational frustrations
will get more attention, and together youll deliver better service.

Look into Getting a Right to Audit Clause.

Something you should always do is include a Right to Audit Clause in your
contracts. A right to audit clause provides you the authority to assess your
vendor at any given time and is a good idea for organizations of all sizes, not
only as a way to demonstrate due care, but also to be proactive in
preventing security breaches or incidents. While all vendors may not agree
to sign a right to audit clause (which is a telling sign in and of itself), having
such a clause will not only help to identify potential risky business partners,
but also support compliance and strengthen security and privacy controls.

Renegotiate! Renegotiate! Renegotiate!

Do not be afraid of renegotiation it is helpful to adopt the mindset and
discipline of actively renegotiating your contracts whenever possible. You
are almost inevitably leaving money on the table when you are not being
diligent about renegotiating your vendor contracts at every opportunity.
Think about it this way, vendors are professional negotiators. They
negotiate hundreds of contacts every year as opposed to a handful every
couple of years like many of us. As such, we do not have the same skill set
when it comes to contract negotiation. Often times we will believe we are
getting a good deal, when in reality we might be missing out. Technology
costs commoditize over time. Make sure youre getting the same deal a new
client would get if they signed with your vendor today, and if you need extra
help in this area, there are professionals who can lend a hand.

Maintain a Summary of Key Vendor Relationships.

Because you likely work with a long list of different vendors, it can be hard
to keep track of all of them, much less monitor all of the relationships
efficiently. It is important to maintain a summary of your critical vendor
relationships, in a centrally-located and easily accessible location. Consider
starting with your Accounts Payable system to develop your list of key
vendors and involve key business owners for their input as well. This may be

Top 3 Questions: Vendor Management

a serious time commitment and undertaking at first, but is a worthwhile

activity to not only see what your supply chain is costing you, but also save
you a great deal of time, frustration and money in the long run! A few areas
to consider tracking in your summary are: levels of risk, renewal dates,
notice dates and total costs of contracts.

Question: We need vendor management, but where do we start?

Answer: Start small, with one thing you know you need to do right
now, and build your plan overtime.
A clear lack of ownership causes most
vendor management efforts to fail.
Most institutions take the approach of
divide and conquer, but in reality there
ends up being more divide, and less
conquering when it comes to the
management of vendor relations.
Product owners have their own
agendas, interactions and intimate
dealings with vendors. Risk and
compliance officers abstractly wrangle
with the documentation and reporting. The result: everyone struggles to see the big
picture and the overall effect is, well, less than effective.
Institutions need a comprehensive view of their vendor relationships where product
owners, risk and compliance officers and executives can view all the moving parts and
see where action needs to take place. If you have departments operating in silos, you
need to challenge the depth of your vendor management efforts because it is likely
disjointed, messy and youre, no doubt, missing opportunities to improve your business.
The most successful vendor management programs are owned across the enterprise
of a financial institution, where key stakeholders are in communication, and visibility
into these relationships is high and risks are defined and controlled.
Lets face it, third-party vendors are a huge part of your business. Their success is your
success -- their failure is your failure. Therefore, on-going oversight and management of
these relationships should be an integral part of your business plan.
Create an action plan

The plan will be different for everyone.

Focus on the business processes and get all the stakeholders involved. Set
focus on each product, not just the vendor itself. This approach allows you
to get deeper into the implementation and controls to find gaps where you
and your vendor may not have thought to look.

Top 3 Questions: Vendor Management

Get an action plan in place and draw up a plan, step by step.

Give your board and examiners a plan to demonstrate your focus for
improvements. Layout the plan in small bites and set short term goals.
For example, in three months, I plan to have all of my high risk
vendor contracts stored off-site, in the cloud for safekeeping and
to keep better track of our renewal dates.
Or, another example, within the next six months I plan to get a
better understanding of all my high risk vendors SOC reports.
Or, if you are still struggling to categorize your risks, I plan to
implement a tool to risk rate all of my vendor products in the
next 90 days.
Vendor management doesnt have to be big and complicated. Sure, there
are a lot of moving parts, but if you start small and start working together,
you can break it down into manageable steps that you can build on. Keep
your plans simple and concrete. Once you start to feel the benefits, youll
keep going, and you can expand to all the areas that once seemed daunting,
like document collection, prepping for an exam or risk assessment.

Step up the level of technology.

Now, weve already explained how you cant outsource your total vendor
management function because regulators wont allow it and it doesnt make
good business sensebut here is the rest of the storythere is help. There
are new vendor management technology tools and expert services available
to help ease your burden and help you succeed. There are tools to
automate old manual processes, approaches that blend both service and
technology to support your own efforts. Summary services from industry
experts to boost your own understanding on everything from your SSAE-16s
to your vendor contract agreements. Services to collect compliance
documents from all of your third party vendors are available too. There are
even technology solutions that place all the key players in one online
environment, and on the same page, with access to vendors, financial
institutions, examiners and experts.
So, the good news is, you are not alone! You dont have to go big or go
home with vendor management. There are technology and services
available with varying degrees of flexibility, depth and capacity to
complement your vendor management efforts right now, where you are
today.

Top 3 Questions: Vendor Management

Gain deeper visibility.

With greater efforts to pull stakeholders together for collaboration and
sharing vendor data, you are going to be able to gain the depth
that is needed to react to change and be proactive with your vendor
relationships. Youll be able to spot gaps quickly when they appear to
avert risks and youll be on top of your vendor relationships in regards
to contracts and service levels, which will save you money overtime.
And, as a happy result of all your efforts, you will be supporting your
business plan and you will be in compliance. In effect, your enterprise
together, will take your vendor management program (and your
business) one step above, one step at a time!

ABOUT US
Digital Compliance
Digital Compliance revolutionizes the vendor management experience
with Venminder, a cloud technology solution that serves financial
institutions in the complex vendor management eco-system. With
Venminder, a bank or credit union can meet all regulatory and
business management requirements. Venminder is a vendor
management tool offered in modules for risk assessment, contract
management, and exam prep with flexible capacity options. Digital
Compliance also provides third-party document collection and executive
summary services from industry experts. For more information, visit
www.digitalcomply.com or call (270) 506-5140.
Porter Keadle Moore
Founded in 1977, Porter Keadle Moore has grown into one of the
most respected accounting and advisory firms in the country. Since our
inception, we have honed in on serving the needs of financial
institutions and today work with leading public and private companies
across the country. At PKM, we provide holistic and growth-driven
financial solutions built around understanding clients business
challenges, not just their accounting issues. We develop deep
relationships with our clients over years, so that working together is a
positive, accretive experience for both parties. For more information,
visit http://www.pkm.com or call 404-588-4200.

Top 3 Questions: Vendor Management