The Importance of a solid vendor management process
Outsourcing technology services can be a valuable tool in the world of community banking. This is particularly evident when resources, expertise, and capacity are limited. When managed correctly, utilizing third-party service providers to carry out particular functions allows community banks to offer better services to their customers, in addition to increasing revenues and reducing costs. But how much is too much? And how can all of these relationships be managed effectively?
While the benefits of outsourcing technology services are clear, they also come with a cost – not just the financial cost of paying for the service, but a more abstract cost with the transition of control. The key here is that although the control is redirected, the bank assumes the responsibility to ensure the risks associated with the outsourced activities are managed as if they are being conducted in-house. Regulatory agencies are placing an increased focus on managing third-party risk. For this reason, it is prudent to continuously evaluate vendor management programs to ensure they are adequately controlling the potential risks associated with outsourcing technology services.
The agencies issue regulatory guidance for a reason – to provide guidance. For example, FIL-44-2008 “Guidance for Managing Third-Party Risk,” issued by the Federal Deposit Insurance Corporation, provides a framework for an effective vendor management program, while allowing for adaptability in different third-party relationships. When deployed effectively, an adequate vendor management program will account for the various risks associated with outsourcing technology services. These risks include, but are not limited to, strategic, reputation, operational, transaction, and compliance risks. https://www.fdic.gov/news/news/financial/2008/fil08044.pdf
In general, a sound vendor management program will contain a risk management process that includes the following four essential elements:
- Risk assessment: The backbone of the vendor management program, ensuring current and potential vendor relationships fit the risk profile of the institution.
- Due diligence in selecting a third party: Evaluation of the potential vendor through a review of various items, such as financial statements, internal controls, industry expertise, and the ability to perform a proposed function.
- Contract structuring and review: Ensures expectations and obligations are documented and enforceable.
- Oversight: The ongoing monitoring of vendor relationships, ensures compliance stays current.