Complete Vendor Monitoring
Looking Beyond the Obstacles: The Necessity of Continuous Vendor Management and Oversight

By Liz Huseman, VendorInsight® Client Program Director, CMPG


Is your bank having trouble keeping up with all your vendors, their contract events and the emerging risks posed to your bank? If so, you are not alone. Many banks and financial institutions have not yet found an effective process for managing vendor relationships.

Financial institutions are increasingly aware of the regulatory burdens that accompany the use of a thirdparty vendor. So, in light of these burdens, why do so many institutions still lack a consistent and workable vendor management process? Maybe the budget is already stretched too thin to accommodate more employees and more training. Maybe your existing personnel are already performing multiple tasks and adding another one is just not feasible. Or maybe, like many banks, consistent monitoring of your vendors and their contracts is difficult because the information is not centralized. Perhaps your contracts are scattered across many offices, stuffed in desk drawers or even housed in the vendor's files.

Whatever the reason, a poorly managed vendor oversight program can spell trouble for your institution. Financial institutions are under scrutiny and must meet FFIEC, OCC, Federal Reserve and other regulators' examination requirements. Without a consistent program for managing vendor risk, financial institutions may face non-compliance with FFIEC and other regulators.

Compliance with the increasingly stringent regulatory burdens and pressures is difficult for many banks. However, there are solutions to help your institution manage your suppliers and contracts consistently with regulatory compliance, improved risk management, and better cost performance.

Vendor Management Basics

Vendor management is becoming a hot button issue. It isn't any wonder that financial institutions are concerned about this. Regulators have made it clear that the Board of Directors and senior management must identify and control the risks associated with third-party relationships. In fact, the FDIC recently put out this statement in June of 2008:

“An institution's board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

CMPG research shows the average bank will spend roughly 40-45% of its non-interest expense with its vendors. With such a large percentage of core banking functions performed by third-party vendors, it is simply not feasible to eliminate these relationships. Financial institutions routinely balance the benefit of the third-party relationship against the costs of that relationship, including the costs of compliance. Where the analysis favors vendor placement, the organization must take consistent steps to identify, measure, monitor and control the risks of the relationship.ii

Of course, not all vendors are critical or significant vendors; nor are they subject to the same degree of scrutiny and oversight. For example, protecting customer confidential information is vital to your institution and great care must be exerted to make sure that your vendor is not a weak link. The FDIC's guidance indicates that institutions must provide “appropriate” levels of oversight and that senior management should have “sufficient procedures and policies” in place to control the risks of third-party relationships.iii These risks include strategic, reputational, operational, transactional, credit and compliance risks.

If your institution is like most others, you have many vendor relationships and related records that need to be managed. So, now what? What's the next step? With so many vendors, so much vendor spending, so many vendor functions, and so many regulations, what does a successful vendor management process look like? How can the Board of Directors and senior management get access to the information needed to make decisions and meet fiduciary obligations without consuming excessive time and resources?

First, let's start with what vendor management includes. Vendor management itself is a broad area, but is commonly thought to encompass four major areas.

The 4 Vendor Management Basics™

The 4 Vendor Management Basics™

The most successful vendor management solutions will likely include a way to link and store the documentation regarding the four vital vendor management basics together so that senior management can adequately assess the vendor relationship and ensure that the risks associated with that specific vendor and its' specific function are being monitored appropriately. Documentation is important here; so much so, that FDIC issued the following:

"Proper documentation will facilitate the monitoring and management of the risks associated with third-party relationships. Therefore, institutions should maintain documents and records on all aspects of the third-party relationship, including valid contracts, business plans, risk analyses, due diligence, and oversight activities (including reports to the board or delegated committees). Also, retain documents regarding any dispute resolution."

A solution that houses vendor risk assessments, due diligence documents, contracts, and documentation relating to the on-going oversight process is ideal because it connects all four vendor management basics together. After all, a vendor risk assessment that hasn't been updated in several years and an inaccessible contract is probably not enough oversight and control to manage the risks of the relationship. And the FDIC has indicated that “failure to manage these risks can expose an institution to regulatory action, financial loss, litigation and reputation damage, and may even impair the institution's ability to establish new or service existing customer relationships.”

But managing risk is more than just keeping current on the vendor contracts and documents. Financial institutions must also remain cognizant of existing regulations, such as Gramm-Leach-Bliley Act, Sarbanes-Oxley and HIPAA. They must also keep up with new regulations. For instance, the Identity Theft Red Flag Rule compliance deadline was November 1, 2008 and these rules are expected to have an effect on relevant third-party relationships. There is certainly no shortage of compliance related activities that financial institutions must undertake.

Vendor Management Solutions

While senior management is ultimately responsible for vendor selection and decisions about how to monitor vendors and risks, there are solutions available to assist in this process. The Board and senior management need accessible and current information that includes updated risk assessments and relevant, current information about the vendors. They also need an updated and centralized contract repository with risk alerts for key contract events, expiration dates and price increases. They may even need market analysis, guidance, pricing trends and recommendations about upcoming contract renewals. The solutions that guide the vendor management process usually present in one of three ways.

The first is usually an internal process that utilizes a combination of standard desktop tools and software. Often there is a manually created and updated contract management spreadsheet. There are usually risk assessments, but they may have been built and performed without the benefit of standards or templates. Special project teams may have been assembled to complete the initial risk assessment, but later disbanded, leaving no one to complete the updated risk assessments. The problems here are numerous. However, the main problems seem to be that the spreadsheet and risk assessments are not updated regularly and the contracts may not be stored centrally.

The second option is usually a software database for contract management and vendor monitoring. This creates a centralized repository of contracts and vendors. However, the software may not be specifically tailored towards the financial services industry, making it cumbersome to use in your organization. Additionally, your personnel are required to run and manage this software program. This can be costly when training, turnover, and personnel requirements are considered. Additionally, any change in priority could jeopardize the effectiveness of this software program.

Finally, the third solution, and arguably the most innovative, is an outsourced contract management and automated vendor management program. This solution offers the same benefits of option two, mainly a centralized repository of contracts and vendors, but it does not require the same personnel requirements that a software based solution does.

Option one is often unworkable. It may not even centralize the necessary documents, resulting in a possible lack of information to the Board and senior management.

Option two may be workable if your institution has the personnel necessary to run and maintain the program, but turnover and continual training will be constant costs of this solution.

Option three is workable even if your institution does not have the existing personnel necessary to run an in-house solution. An outsourced contract management and automated vendor management program is workable so long as the senior management is committed to making the financial choices necessary to ensure adequate vendor management.

VendorInsight® Solution:

VendorInsight® was developed and introduced in 2008 in response to a cry from the industry for help in meeting compliance obligations. As a result of ten plus years experience providing executive consultation, cost management leadership, spend and contract analysis and benchmarking services to financial institutions, CMPG fully understands the pressures that financial service organizations and banks are facing now, ranging from internal audits to external regulator examinations. More and more financial institutions depend on third-party vendors to perform their core functions. From this backdrop of increasing regulatory pressures, VendorInsight® was created.

VendorInsight® is an outsourced solution. It does not require your personnel to run or manage it. It will be unaffected by turnover or change of priority within your organization. This is especially significant when considering that seven out of ten contract management software or SaaS implementations fail or falter because of changing personnel or priorities.

VendorInsight® takes into account the 4 Vendor Management
Basics by allowing your organization to:

VendorInsight® takes into account the 4 Vendor Management<br />

VendorInsight® also delivers customized risk alerts, market monitoring reports and market analysis designed to give you a strategic viewpoint on vendor-related decisions and planning. You get expert insight into market trends for your renewal and renegotiation decisions and automated cost trend and spend analysis support for your budgeting and planning processes.

Your board and executives are held responsible for maintaining a risk management program in accordance with FFIEC, Federal Reserve, and other regulatory agency guidelines. VendorInsight® is a complete outsourced service that aggregates and leverages CMPG's systems, technology, information, research and people to deliver essential information to your fingertips when you need it. With it, your bank can be up and running in less than 45 days with a full-featured contract management program that includes vendor monitoring, market analysis, and vendor risk management- a complete turnkey Vendor Management program! There is no training, no software to learn, and no systems integration cost.


These are tough times for financial institutions. Budgets are tight, consumer confidence may be down, and increased regulations on financial institutions are likely. However, inadequate oversight and controls over third-party vendors, their services and activities is simply not an option.

There are solutions out there to assist your organization in finding and developing a vendor and contract management system. Find the solution that works best for your organization and feel comfortable and confident in your vendor relationships. Show the examiners you are in control.

About the Author

Liz Huseman, VendorInsight® Client Program Director, CMPG

Liz is the Director of the VendorInsight® Client Program at Cost Management Performance Group (CMPG). CMPG provides a comprehensive set of services and solutions tightly focused on improving earnings performance for banks. CMPG's services include executive consultation, cost management leadership, spend and contract analysis, benchmarking, and turnkey outsourced solutions focused on vendor management and compliance. VendorInsight® is a cost-effective, highly flexible, outsourcing solution that delivers the value and performance needed to manage vendors and contracts consistently with improved risk management, enhanced regulatory compliance, and better cost performance.