Get on your horse. Your vendor management program needs to keep up with new expectations.
The emerging and predictive role of vendor performance monitoring and SLA management.
Conquering New Frontiers Requires Fresh Horses.
Are you ready for the next frontier of vendor management? (Heard from the crowd: The next frontier?!! What about the current frontier??!) Okay, it's true. You've probably just managed to navigate the current landscape and get your vendor management program updated and you likely spent a considerable amount of effort, time and money doing it.
The Vendor Risk Assessment, or VRA, has finally achieved maturity and maybe even pseudo-iconic status along with a certain notoriety among bankers and risk management and compliance professionals in financial institutions. And although some financial institutions still need to embrace automation to relieve themselves of its tiresome burden, it has generally been proliferated across all asset classes of financial institutions and credit unions in some form or fashion. But the next requirement for vendor risk management is now being cast upon the financial institution board game with its ever-changing regulatory and risk management overlays. Vendor performance and SLA monitoring has arrived and banks and credit unions alike are being asked about it by their examiners, auditors, and board. Many risk officers and vendor managers don't have good answers yet.
Vendor performance measurement is an assessment of risk based on the personal experience of the vendor's customer. Ironically, it is the only measure of vendor risk that is actually experienced by you, the financial institution, yet it is consistently overlooked in importance in favor of a static risk assessment often performed only once, or infrequently at best, during vendor due diligence. Culture, personalities, customer importance and business priorities all impact how a vendor performs for your financial institution creating a rich fabric of interactions, promises, delivery, plans, and dependence that is a precarious net sustaining your operations, efficiency goals and delivery promises to your customers and shareholders.
Why does vendor performance matter? If the performance measure in question is a service level agreement, or SLA, then it is likely that it was negotiated as a baseline expectation, or a minimum expected level of vendor performance. If the vendor could not warrant or promise the service level then the financial institution would not have wanted to do business with the vendor. On the other hand, if the SLA represents a higher-than-minimum performance level then, perhaps, it is central to the financial institution's strategy or customer delivery objectives and it takes on even greater significance. In this case, it was likely negotiated in exchange for something else and the financial institution may have even paid more to the vendor, raising its expenses and diluting its earnings.
Never Play Poker with a Tsunami.
When it comes to vendors, good performance makes for smooth sailing while bad vendor performance has a ripple effect that multiplies and quietly tsunamis across your organization and strategy. It might start with a seemingly innocuous transgression like a vendor's delay implementing a system change that your bank requires. Then, it might blossom into the vendor treating you as a second-tier priority, knowing the last incident didn't seem to be of much concern. From there it might cascade into assigning lower-quality resources to your account and promoting their best people to other, more-demanding customer accounts. Soon, be it right or wrong, the vendor may view you as not being a very sophisticated customer and not wanting to purchase their more advanced, emerging solutions, so they start to communicate less with you. The next thing you know, your organization is framing the vendor for performance failures that aren't even its fault because, after all, human nature makes it easy to dislike a business partner that doesn't respect you or even talk to you very much.
So, how do you stop the tidal wave from forming? Tapping into the forces that often signal an impending surge of risk requires you to keep your risk management finger on the pulse of a lot of information. This information is streaming in daily. It shows up in monthly team calls. It hides in the dark corners of inboxes shrouded in vendor reports where your key players only have time to deal with the hottest of the super hot priorities. It lurks in the back pages of newspapers and in the deep web pages of regulatory agencies and law firms. Sometimes it hides in SEC filings.
The failures of vendors – whether they are caused by organizational strain, growth and capacity limitations, a lost sense of direction, changes in leadership styles, or one of many other factors – show up at the local level first. They manifest themselves and get disguised as smaller, less-significant, errors which are often forgiven and overlooked by customers. But over time, they grow, and in the extreme cases where vendors have materially failed and this has received publicity, the customers of the vendors said to themselves and to the public, "yeah, we were having some trouble with them during the past few months but we never thought the problem was this big."
This example highlights the limitations of the static vendor risk assessment (VRA) that is often completed by a financial institution during vendor due diligence and is required to be reviewed periodically – often every year, two years or three years, as a commonly-accepted compliance standard. But more importantly, it highlights why vendor news monitoring and the regular monitoring of vendors' activities in the market is critically important. Vendors change. They reorganize, reprioritize and renew. They change strategy. They refresh their executive leadership. You have to keep up with the changing conditions in order to effectively monitor operational risk. The great thing about monitoring vendor news and market events is that you can see how the vendor is performing for everyone else, giving you unprecedented insight into the trends, growth and success of your vendors and unprecedented and immediate awareness of when things go wrong at their other accounts. Vendor performance is one area where the past is definitely not the best predictor of future success. Having as much information at your fingertips as possible and having a system that screens all the information and alerts you to the things you should worry about is what you really need to make decisions and manage risk.
A Process Framework for Taming Performance-Based Vendor Risk.
How your organization processes and manages your knowledge about a vendor's performance is indeed a predictor of future success and a driver of lower risk tolerances and risk levels in your financial institution. The best-practices vendor performance management process trail map looks like this:
Anticipation –> Awareness –> Action –> Accountability –> Archive.
- How important is the vendor relationship? What is its value?
- How diligently do you need to monitor the vendor?
- Were there any issues or flags identified in the due diligence?
- What does the Business Impact Analysis suggest?
- Are there performance expectations or SLAs in the vendor contract?
- What is happening in the marketplace with the vendor?
- Is the vendor being issued any regulatory sanctions or are there any emerging lawsuits?
- Are there signs of a change of control for the vendor?
- Are there changes in executive leadership at the vendor?
- What is the financial performance of the vendor?
- Are there other news items that raise flags about the vendor?
- Completing vendor performance surveys on a frequent and recurring basis
- Screening all of the sources of information for information that is pertinent to your vendor relationship.
- Making sure each contract owner knows about each news alert or performance alert
- Making sure each overseeing executive is aware of a vendor news or performance alert
- Ensuring that your risk committee receives summary reports on vendor risk alerts and identified risks
- Notifying vendors that you are aware of their risks and emerging risks
- Asking vendors to substantiate and provide details about their risk alerts
- Documenting internal reactions to vendor news alerts
- Documenting the corrective actions by vendors for those items escalated to vendor relationship meetings
- Maintaining notes and memoranda in vendor electronic archives for future awareness and continuity
- Revisiting archives to develop aggregate scorecards for vendor performance and enable good decisions about contract renewals and strategic choices
Choosing between too much alliteration or too much risk isn't the difficult part. Doing the work is. If you don't have the knowledge, the staff, or the time, find a system that will do it for you. The examiners are coming and they fear not your excuses.
Timing is Everything. Constancy of Purpose is Priceless.
Most organizations don't really deal with a vendor's performance until the time of contract renewal, and then they only recall what happened in the last six months or so, which limits their ability to hold vendors accountable for the performance record during the entire contracted term of the agreement. Having a vendor system of record prevents your organization from forgetting about the performance failures of the past, making it easy to retrieve and review performance notes, scorecards, and memoranda and use these to form a better relationship, a better governance structure, and a tighter commitment from the vendor. The performance record may even support the need to change vendors, bringing the discussion with your vendor to a whole new level.
Beyond the obvious financial benefits of monitoring contract SLAs, and administering penalties or receiving credits for vendor nonperformance, larger banks with more advanced sourcing organizations and developed vendor management offices often use the performance record of the vendor as leverage in negotiations. With more resources, and an aggressive but objective mindset, they can level the playing field as a new contract is being discussed. Being able to tap into the historical archives three or even five years later to research documented performance failures by the vendor and access the problem resolution logs to get an unbiased view of the vendor's performance can be very insightful and useful to these organizations. Ultimately, it makes the relationship between the financial institution and its vendors more efficient economically and stronger from a commitment-expectation-accountability standpoint. All of these positive dynamics serve to reduce operational risk considerably.
It is important to distinguish between the degree of SLA attainment and a vendor failure. Striving to attain a consistent performance level of 98% and doing that successfully in 11 out of 12 months but only achieving 97% in 1 month is considerably different than delivering a performance of 74% in three consecutive months. The 74% performance has a considerable impact on a financial institution and represents a failure of the vendor to deliver against its promise, contracted or not. This is why it is important to have a vendor performance monitoring system that enables the capture of data across periods and enables the capture of commentary and performance notes to provide a contextual backdrop for the performance scorecard.
Do Your Part, Sheriff.
You already know your financial institution or credit union needs better vendor management systems that require less manual manipulation. As you look forward, should you accept anything less than the framework outlined here given the lessons of the past, the challenging terrain ahead, or the teachings of the current examinations taking place right now? No. Don't accept a system or solution that purports to be a vendor management system yet ignores the fact that vendor risk changes over time and that the most important aspect of vendor risk is embodied in how the vendor succeeds or fails in their delivery of services to you. Don't compromise on these important features and you will find a solution that delivers tremendous risk management capabilities and guaranteed compliance leadership with a full palette of business value that makes your financial institution better, stronger and faster, no matter what your asset size and budgetary limitations.
Vendor performance is a moving measure. Vendors perform for and deliver to their customers over time – not once, but repeatedly in a series of actions carried out over a long period of time, often with different people, changing product structures and services profiles, and different and evolving IT infrastructures and organizational priorities. It should be obvious why the OCC and other auditors and examiners are beginning to focus on vendor performance as an essential aspect of vendor risk; it is the most impactful to a financial institution because it represents the direct, experiential risk and it is the best real-time predictor of emerging vendor risk.
© 2014 by CMPG, LLC and VendorInsight®. All Rights Reserved. May not be reproduced in any form without the express written permission of the copyright owner.