9 Ways to Strengthen Your Vendor Risk Management Program
By Jay G. Fitzhugh, Executive Consultant & Partner, CMPG
We read it every day in the news headlines. Businesses that are being displaced and disrupted as the result of current economic conditions are re‐writing the history of risk management within Financial Institutions (FIs). The need to manage vendor risk has necessarily expanded the definition of vendor management programs in a time of economic downturn and uncertainty. As banks adopt a wider and deeper definition of vendors, they are redefining what vendor criticality means as the marketplace invents new, systemic methods to enable and track key economic and market conditions.
Historically, financial institutions have managed risk well within their four walls. Banking is a risk‐based business, balancing net interest earnings against credit risk. Net Interest Earnings from the Income Statement in Banking is comparable to Cost of Goods Sold on a manufacturer's Income Statement. But twenty‐five years ago, risk was a word reserved for Credit and Treasury folks in ALCO and Loan Committees. Certainly, credit risk remains a constant, but the risk word has penetrated beyond loan and investment portfolios creating new definitions in payment processing areas, Information Technology, Information Security, Legal and Compliance, Bank Secrecy Act/Anti‐Money Laundering monitoring , Loss and Fraud Prevention, Continuity Planning and Vendor Management.
Given the heavy reliance on vendor services, technologies, and software, it is no wonder that the vendor management role in Operational and Reputational Risk Management gets thrust forward in today's business climate. Monitoring vendors is expanding from a myopic Information Technology, or Information Security (read GLBA) focus, to challenge just who exactly should be defined as a vendor and what “mission critical” means. The answer is anyone within the information and service supply chain that you (or your contracted vendors) rely upon to deliver your services without severe financial consequence or disintermediation disruption to your clients. Take the recent regulatory seizure of the Atlanta banker's bank Silverton as a case in point. A reported 1,400 community banks are caught in this net. How many were formally or even informally monitoring this entity that is essentially an upstream correspondent and co‐operative peer? Already, one former client has projected write‐downs of over $21 million as a result of exposure to this failure.
Disaster Recovery planners were some of the first to formally recognize and document operational risk across a broad business palette. These planners obtained title and pay upgrades when Disaster Recovery Planning evolved into the Business Continuity discipline, later fueled by Business Impact Analysis. The reformation was recognition that having a fancy binder on a shelf that planned the relocation of facility or process after an event occurred was not enough as it only addressed one event or scenario that would, by definition, occur with extreme small probability. The disruption thrust upon clients by an actual disaster and recovery effort led many to re‐examine their true hour‐by‐hour requirements to keep the business operating even if it required a diminished capacity.
Similarly, Vendor Management (VM) must expand Risk Assessment and Analysis to broaden and deepen its prevention and detection posture. Risk assessment of vendor capabilities must adequately measure the impact of vendor disruption and should include shock scenarios, or Business Impact Analysis, of a vendor's impairment or failure versus the FIs capability to continue to conduct its business affairs. This means that vendor monitoring needs to keep abreast of all industry and vendor‐specific public information, not just relationship elements, like performance and SLAs.
Vendor Risk Analysis must expand its typically limited scope of vendors. VM Programs must identify vendors and business partners that are wrapped in and woven throughout the fabric of the bank's service and delivery. An example is the near extinction of outsourced Official Check programs, which were once valued profit generators. Vendors absolved FIs of this administrative burden and even compensated them for uncashed checks and unclaimed balances. Providing clients an Official Check is an essential service. Changes in check clearing practices with image presentment, coupled with a historically low overnight investment yield, have made these services no longer economically viable. Without an effective vendor monitoring program, many institutions found themselves scrambling in 2008 with an unplanned project to determine how to best continue offering Official Checks for clients, as this service was abandoned by the vendor community.
Below are nine things you can do to strengthen your Vendor Management Program now. Improve your risk management posture and avoid the pitfalls illustrated by recent history and emerging in your path ahead.
- Count your vendors. Who are your vendors? How closely does the Vendor Management roster match the Accounts Payable list? This is a good place to start. Are there “employees” operating outside normal channels with special knowledge or skills, likely in subsidiaries, that should be assessed as vendors? This is an interesting and likely new thought.
- Understand formal and non‐formal relationships. On what business terms are vendors operating that exist on the Payables list, but not represented by formal contracts and some level of monitoring within the Vendor Management program? Is it time to discontinue the use of purchase orders? Do you have vendors that are operating on a month to month basis?
- Re‐examine exclusive vendor relationships. Where has a focus on standardization created single‐vendor exclusivity? What level of exposure does this exclusivity present versus the economic benefit of vendor pricing leverage?
- Reacquaint yourself with your vendors. When was the last time you met with your key vendors' management teams to discuss their business plan and strategies?
- Make a second choice. It may be impractical for all areas of technology, but certainly for consumables and service partners, identifying and pre‐qualifying an alternate supplier is a reasonable risk‐mitigation posture in the event your key provider fails to perform.
- Update your files. How current is the data that you have on your vendors? Of the data that you do have, is past trending valid? Banking has gone through a decade of change and consolidation in less than ten months. Key industry core providers are consolidating.
- Redefine vendor management roles. Are vendor monitoring responsibilities clearly defined within your organization? If you are like most banks, the decentralization of vendor management down to those managers closest to the vendor is the bane of effectiveness.
- Reassess your risk rating methods. Is your assessment of risk qualitative or quantitative? If qualitative, are there examples or guiding principles distributed and understood, so that a uniform assessment is accomplished? If quantitative, is a Business Impact Analysis factored into the process?
- Reinvent your toolset. What tools are being used to monitor press releases, industry events, changing business strategies and financial reports of your vendors (and not with last year's now stale financial data and business information)? You should be using one of the newly‐emerging services that can deliver this information to your doorstep each morning.
The implications of an expanded view of the vendor and improved risk assessment and monitoring will lead many Financial Institutions towards the need for solutions to help manage increased workload. Access databases or Excel spreadsheets will no longer suffice. Executive Management, Boards of Directors and Regulators are recognizing the need for wider and deeper review of all business relationships with current, actionable data. Is monitoring responsibility in your institution centralized within a specific area or is it decentralized across a disparate cast of business owners? Can a centralized person or group truly handle the increased monitoring responsibilities alone?
The current business cycle trough has already changed the banking landscape forever. It is implicitly understood that outsourcing a process, product, or service does not outsource the operational and reputational risk born by the FI. Understanding the entire vendor base, the vendor contribution to the FI brand promise and service delivery model, and having the proper process and tools in place to monitor and track vendor performance are essential. These capabilities will continue to climb in importance as we work our way through the existing downturn, but more importantly they will distinguish the high performers as we move beyond this period in banking.
About the Author
Jay Fitzhugh is an Executive Consultant and Partner with Cost Management Performance Group, LLC, (CMPG) and has been an executive in the Financial Services Industry for over twenty-five years.