Looking Beyond the Obstacles: The Necessity of Continuous Vendor Management and Oversight
By Liz Huseman, VendorInsight® Client Program Director, CMPG
Is your bank having trouble keeping up with all your vendors, their contract events and the emerging risks
posed to your bank? If so, you are not alone. Many banks and financial institutions have not yet found
an effective process for managing vendor relationships.
Financial institutions are increasingly aware of the regulatory burdens that accompany the use of a thirdparty
vendor. So, in light of these burdens, why do so many institutions still lack a consistent and
workable vendor management process? Maybe the budget is already stretched too thin to accommodate
more employees and more training. Maybe your existing personnel are already performing multiple tasks
and adding another one is just not feasible. Or maybe, like many banks, consistent monitoring of your
vendors and their contracts is difficult because the information is not centralized. Perhaps your contracts
are scattered across many offices, stuffed in desk drawers or even housed in the vendor's files.
Whatever the reason, a poorly managed vendor oversight program can spell trouble for your institution.
Financial institutions are under scrutiny and must meet FFIEC, OCC, Federal Reserve and other
regulators' examination requirements. Without a consistent program for managing vendor risk, financial
institutions may face non-compliance with FFIEC and other regulators.
Compliance with the increasingly stringent regulatory burdens and pressures is difficult for many banks.
However, there are solutions to help your institution manage your suppliers and contracts consistently
with regulatory compliance, improved risk management, and better cost performance.
Vendor Management Basics
Vendor management is becoming a hot button issue. It isn't any wonder that financial institutions are
concerned about this. Regulators have made it clear that the Board of Directors and senior management must identify and control the risks associated with third-party relationships. In fact, the FDIC recently put
out this statement in June of 2008:
“An institution's board of directors and senior management are ultimately
responsible for managing activities conducted through third-party
relationships, and identifying and controlling the risks arising from such
relationships, to the same extent as if the activity were handled within the
CMPG research shows the average bank will spend roughly 40-45% of its non-interest expense with its
vendors. With such a large percentage of core banking functions performed by third-party vendors, it is
simply not feasible to eliminate these relationships. Financial institutions routinely balance the benefit of
the third-party relationship against the costs of that relationship, including the costs of compliance.
Where the analysis favors vendor placement, the organization must take consistent steps to identify,
measure, monitor and control the risks of the relationship.ii
Of course, not all vendors are critical or significant vendors; nor are they subject to the same degree of
scrutiny and oversight. For example, protecting customer confidential information is vital to your
institution and great care must be exerted to make sure that your vendor is not a weak link. The FDIC's
guidance indicates that institutions must provide “appropriate” levels of oversight and that senior
management should have “sufficient procedures and policies” in place to control the risks of third-party
relationships.iii These risks include strategic, reputational, operational, transactional, credit and
If your institution is like most others, you have many vendor relationships and related records that need to
be managed. So, now what? What's the next step? With so many vendors, so much vendor spending,
so many vendor functions, and so many regulations, what does a successful vendor management
process look like? How can the Board of Directors and senior management get access to the information
needed to make decisions and meet fiduciary obligations without consuming excessive time and
First, let's start with what vendor management includes. Vendor management itself is a broad area, but is
commonly thought to encompass four major areas.
The 4 Vendor Management Basics™
The most successful vendor management solutions will likely include a way to link and store the
documentation regarding the four vital vendor management basics together so that senior management
can adequately assess the vendor relationship and ensure that the risks associated with that specific
vendor and its' specific function are being monitored appropriately. Documentation is important here; so
much so, that FDIC issued the following:
"Proper documentation will facilitate the monitoring and management of
the risks associated with third-party relationships. Therefore, institutions
should maintain documents and records on all aspects of the third-party
relationship, including valid contracts, business plans, risk analyses, due
diligence, and oversight activities (including reports to the board or
delegated committees). Also, retain documents regarding any dispute
A solution that houses vendor risk assessments, due diligence documents, contracts, and documentation
relating to the on-going oversight process is ideal because it connects all four vendor management basics
together. After all, a vendor risk assessment that hasn't been updated in several years and an
inaccessible contract is probably not enough oversight and control to manage the risks of the relationship.
And the FDIC has indicated that “failure to manage these risks can expose an institution to regulatory
action, financial loss, litigation and reputation damage, and may even impair the institution's ability to
establish new or service existing customer relationships.”
But managing risk is more than just keeping current on the vendor contracts and documents. Financial
institutions must also remain cognizant of existing regulations, such as Gramm-Leach-Bliley Act,
Sarbanes-Oxley and HIPAA. They must also keep up with new regulations. For instance, the Identity
Theft Red Flag Rule compliance deadline was November 1, 2008 and these rules are expected to have
an effect on relevant third-party relationships. There is certainly no shortage of compliance related
activities that financial institutions must undertake.
Vendor Management Solutions
While senior management is ultimately responsible for vendor selection and decisions about how to
monitor vendors and risks, there are solutions available to assist in this process. The Board and senior
management need accessible and current information that includes updated risk assessments and
relevant, current information about the vendors. They also need an updated and centralized contract
repository with risk alerts for key contract events, expiration dates and price increases. They may even
need market analysis, guidance, pricing trends and recommendations about upcoming contract renewals.
The solutions that guide the vendor management process usually present in one of three ways.
The first is usually an internal process that utilizes a combination of standard desktop tools and software.
Often there is a manually created and updated contract management spreadsheet. There are usually risk
assessments, but they may have been built and performed without the benefit of standards or templates.
Special project teams may have been assembled to complete the initial risk assessment, but later
disbanded, leaving no one to complete the updated risk assessments. The problems here are numerous.
However, the main problems seem to be that the spreadsheet and risk assessments are not updated
regularly and the contracts may not be stored centrally.
The second option is usually a software database for contract management and vendor monitoring. This
creates a centralized repository of contracts and vendors. However, the software may not be specifically
tailored towards the financial services industry, making it cumbersome to use in your organization.
Additionally, your personnel are required to run and manage this software program. This can be costly
when training, turnover, and personnel requirements are considered. Additionally, any change in priority
could jeopardize the effectiveness of this software program.
Finally, the third solution, and arguably the most innovative, is an outsourced contract management and
automated vendor management program. This solution offers the same benefits of option two, mainly a
centralized repository of contracts and vendors, but it does not require the same personnel requirements
that a software based solution does.
Option one is often unworkable. It may not even centralize the necessary documents, resulting in a
possible lack of information to the Board and senior management.
Option two may be workable if your institution has the personnel necessary to run and maintain the
program, but turnover and continual training will be constant costs of this solution.
Option three is workable even if your institution does not have the existing personnel necessary to run an
in-house solution. An outsourced contract management and automated vendor management program is
workable so long as the senior management is committed to making the financial choices necessary to
ensure adequate vendor management.
VendorInsight® was developed and introduced in 2008 in response to a cry from the industry for help
in meeting compliance obligations. As a result of ten plus years experience providing executive
consultation, cost management leadership, spend and contract analysis and benchmarking services to
financial institutions, CMPG fully understands the pressures that financial service organizations and
banks are facing now, ranging from internal audits to external regulator examinations. More and more
financial institutions depend on third-party vendors to perform their core functions. From this backdrop of
increasing regulatory pressures, VendorInsight® was created.
VendorInsight® is an outsourced solution. It does not require your personnel to run or manage it. It
will be unaffected by turnover or change of priority within your organization. This is especially significant
when considering that seven out of ten contract management software or SaaS implementations fail or
falter because of changing personnel or priorities.
VendorInsight® takes into account the 4 Vendor Management
Basics by allowing your organization to:
VendorInsight® also delivers customized risk alerts, market monitoring reports and market analysis
designed to give you a strategic viewpoint on vendor-related decisions and planning. You get expert
insight into market trends for your renewal and renegotiation decisions and automated cost trend and
spend analysis support for your budgeting and planning processes.
Your board and executives are held responsible for maintaining a risk management program in
accordance with FFIEC, Federal Reserve, and other regulatory agency guidelines. VendorInsight® is a
complete outsourced service that aggregates and leverages CMPG's systems, technology, information,
research and people to deliver essential information to your fingertips when you need it. With it, your
bank can be up and running in less than 45 days with a full-featured contract management program that
includes vendor monitoring, market analysis, and vendor risk management- a complete turnkey Vendor
Management program! There is no training, no software to learn, and no systems integration cost.
These are tough times for financial institutions. Budgets are tight, consumer confidence may be down,
and increased regulations on financial institutions are likely. However, inadequate oversight and controls
over third-party vendors, their services and activities is simply not an option.
There are solutions out there to assist your organization in finding and developing a vendor and contract
management system. Find the solution that works best for your organization and feel comfortable and
confident in your vendor relationships. Show the examiners you are in control.
About the Author
Liz Huseman, VendorInsight® Client Program Director, CMPG
Liz is the Director of the VendorInsight® Client Program at Cost Management Performance Group
(CMPG). CMPG provides a comprehensive set of services and solutions tightly focused on improving
earnings performance for banks. CMPG's services include executive consultation, cost management
leadership, spend and contract analysis, benchmarking, and turnkey outsourced solutions focused on
vendor management and compliance. VendorInsight® is a cost-effective, highly flexible, outsourcing
solution that delivers the value and performance needed to manage vendors and contracts consistently
with improved risk management, enhanced regulatory compliance, and better cost performance.