Contact Us

Best Practices for Managing Risk During Vendor Selection

risk management

Selecting and onboarding a new core vendor involves a certain level of risk. You can do your due diligence and feel confident in your selection, but how do you know if in one year, five years, or ten years you’ll feel the same way about them? The future is uncertain, but you can follow a few best practices to help secure the right partnership for the long term. Use the information that we’ve pulled together from the vendor management experts at Tandem, along with our own recommendations, to better manage the risk in vendor selection and streamline your process for better outcomes.

How to Manage Risk During Vendor Selection

It’s not unheard of for a bank to have gone through due diligence, finalized all the paperwork, and onboarded the new vendor, only for the partnership to fizzle later. Time, costs (both hard and soft), and even the organization’s reputation, can be jeopardized when significant activities like risk management aren’t prioritized during vendor selection.

“The best service in the world won’t be good enough if it brings on risk to your bank that you just don’t have the tolerance for,” says Leticia Saiid, Chief of Staff at CoNetrix, “Before you get too excited about a vendor, do your risk assessment. In addition to safeguarding your bank, it saves you time, and keeps you from spending attention on a vendor you wouldn’t be able to work with anyways.”

Here are a few best practices to help you manage risk through the vendor selection process.

Perform a risk assessment.

Once you’ve narrowed down your selection of vendors, you’ll want to perform a vendor risk assessment to identify if there are potential risks in working with this vendor and to ensure that this vendor is a reliable partner for your bank. Should your bank need to develop or refresh your vendor risk assessment, Tandem offers this simple three-step approach:

  1. Define the risk categories.

    The FDIC, FRB, OCC, and NCUA have provided risk category recommendations for your bank to use. Check out the Vendor Risk Category Resource to see a list of categories and tips for how to use them.

  2. Measure the risk.

    Setting a scale helps you and your team compare the vendor’s risk to others. You can use a numerical scale or a ranking (Low, Medium, High). Just know that a scale is just one piece of the assessment and should not be the only data point used to indicate risk.

  3. Assess based on three questions.

    Using the information from steps one and two will help formulate a final assessment and deliver an action plan. You’ll ask yourself: 1.) How much [category] risk does your bank assume by using this vendor? 2.) What information influenced your answer? 3.) What should your bank do next?

>See an example of a short risk assessment on Tandem’s blog.

Gather and send appropriate due diligence documentation.

Due diligence is not always the fun part of the vendor management process and too often it’s because organizations have complex processes that they’ve fulfilled for years. If you fall into this group, then consider streamlining the process by following Tandem’s “if-then” method where you ask trigger questions to establish exactly what due diligence documents are needed for review and why.

Tandem gives the following trigger question as an example:

"Would the company be significantly affected if the vendor's services were temporarily unavailable?"

A "yes" answer would lead you to request their Business Continuity Plan because it will show you if the vendor is prepared to recover your bank’s service after a disruption.

>Need some help collecting the right vendor documentation? Check out a few templates on our blog.

Review the contract with confidence.

Contracts are known for being filled with messy legalese, especially core contracts. If you’re not experienced in reviewing contracts nor have an attorney by your side, you could be signing up for products and services you never asked for and end up paying more than expected.

When you receive a vendor contract, ensure your bank gets what’s expected for the agreed upon costs. Review specific areas such as the products and services scope, pricing, addendum terms and conditions, and termination details. If there is missing information or line items that need clarification, be sure to ask the vendor before signing.

>Read our blog article to learn how to properly review and dissect a core contract.

Pause and ask yourself if they’re a good fit.

Documentation and contracts alone may not be able to give you the peace of mind that this vendor is the right fit for your organization. As you go through the due diligence process, think about how the relationship is taking shape. Has the vendor been responsive to your questions and requests? Have they been transparent in communications? Are they available to talk in-depth about their products and services? If they show signs that they’re making your bank a priority early in the partnership, then you can safely assume your bank will receive the same level of service after you sign the contract.

Additionally, consider how their operations look like behind the curtain. Have you met their customer support, implementations, and leadership teams? Have they invited you to tour their offices? You’ll want that extra assurance that your bank is in good hands from interacting with the people actually doing the work.

>See a live example of vendor management in action when you read how Gilmer National Bank put IBT Apps through the process.

Keeping It All Organized & Secure With Vendor Management Software

If your memory is like a steel trap and you’re a wiz at keeping notes and documents securely together, then no need to read further. But, if you’re challenged with staying organized, are bogged down with completing responsibilities to meet deadlines, and are unsure if your due diligence documentation is housed in a safe environment, you should consider using a specific vendor management software.

Tandem’s vendor management software tools keep your process moving forward. “Using vendor management software or an outside vendor management company can help your financial institution meet your regulatory due diligence requirements,” says Kristy Emmerich, Director of Compliance at IBT Apps, “Specialized vendor management software provides a risk-based approach that helps you determine timing of vendor reviews, allows you to organize documents in one place, and provides standardized templates and reports that keep your reviews consistent.”

Due diligence can easily become overwhelming, especially when multiple vendors are involved. If selecting vendors and reporting your recommendations to management isn’t your only responsibility or if you just need help managing the process better, consider using software to stay on top of your task list and timelines, keep your data protected, and best of all, make life less hectic for you and your bank.

Learn more about Tandem’s vendor management software and see it in action at the 2022 KEYS Conference, an annual cybersecurity conference and Tandem user group. Registration now and we’ll see you on March 30th!

Related Posts

Vendor management is the process of overseeing third-party service providers who work for...

Related Posts

This article was previously published in Independent Banker. How would you describe your...

Related Posts

Having to review a core provider’s contract is like trying to walk through the southern...