Part I in a four-part series about vendor management program requirements.
“What’s really supposed to be in your vendor management program?”
The answer is, ‘Your concrete plans for managing third party vendor risks to your credit union.’
Instead of seeing the big picture, we often watch amazed as credit unions chase down small details in vendor management programs when there is no practical value in doing so. At the same time, we see credit unions ignoring the requirements that result in better financial performance that can actually help manage and reduce risk.
The guidelines, beginning with the FFIEC guidelines, are clear, but take time to fully understand. If read too casually, credit unions miss the intent in favor of ‘checking boxes,’ or are swayed by one of the myriad seminars and newsletters that DON’T describe what is actually supposed to be in a vendor management program.
In order to make sure you do not miss what is most important, here is Maple Street, Inc.’s take on what the guidelines say.
Number One: Vendor management is important to regulators and is a board level issue.
Get a policy, get it approved by the board, review it with the board every year and put it in the minutes.
Number Two: Understand the three requirements of a vendor management system:
- Choose the right vendor to meet your credit union’s needs;
- Contract well; and
- Monitor each vendor’s soundness and performance over time.
You’re probably already doing something about part of Requirement C: ongoing monitoring, including risk assessments, risk ranking and gathering due diligence, although we hope you are not spending thousands of dollars to determine if, for example, your data processing system vendor is “critical.”
Our research shows that most credit unions do not pay enough attention to Requirement A: Choosing the Right Vendor.
And by that, we do not mean checking references and reviewing “dead documents” like SSAE-18 audit reports, then selecting a vendor based on the features you like. Picking the right vendor is 80% of a successful process, because if you fail this step, Requirements B and C are not going to help much.
Choosing well is about building your business case and needs analysis that answers key questions, and then selecting a vendor based on the likelihood of results.
For example, ask the vendor what results are you going to get for the money you spend. Do you understand the vendor’s business model – and especially how it makes money? Does the vendor have a way to help you track results?
Those questions inevitably lead to Requirement B, Contracting Well. This is difficult to do if you are not expert in contract negotiation; however, it is not about lawyers and a legal review. In our experience, most legal reviews are incredibly ineffective at evaluating risk and rarely touch on performance requirements. Ever heard of the parole evidence rule? Simply stated: if a promise is made to you, but it is not in the contract, it doesn’t exist. DOES NOT EXIST. And based on our long experience and first-hand knowledge, it is a fair bet your vendor’s contract does not say what the sales rep has been telling you – not even close. Legal reviews almost always miss performance requirements.
Contracting well really means identifying and documenting the performance you expect from the vendor. So, after the hard work you put in to choose the right vendor, undocumented performance means you are trusting the vendor. Vendors are reputable, but even reputable businesses have a way of disappointing over time. It is disappointing when you are not getting what you expected, but it’s worse when you find you cannot do anything about it.
Bottom line: no amount of ongoing monitoring will fix a poor vendor selection or remedy a lousy contract. Hence Requirements A and B.
If you followed the usual vendor management process, you focused on monitoring the vendors’ documents, not performance. Sadly, you will likely find yourself disappointed at some point with that vendor. If, by then, you are in the middle of a five-year contract with no remedy to improve the vendor’s performance, or get the pricing or functionality you were promised, your only remedy is begging or bitching.
If you chose the wrong vendor, you likely also paid for something you will not use or want. (Maybe “risk management” should include not wasting money on stuff you don’t use?) You’re stuck with whatever you get from the vendor, good, bad, or indifferent. “Need a new interface?” your vendor might say. “Sure, we said we had one, but get out the checkbook and we’ll talk.”
The regulator’s guidelines make really good business sense. A vendor management system, covering all three of the requirements, lowers vendor expense, improves vendor performance, and manages risk. Imagine that.
(Our next article will focus on Part A: Choosing the Right Vendor.)
Maple Street, Inc., is the provider of the Vendor Advantage System®, the only complete vendor management system. Maple Street delivers lower expenses, improved vendor performance, and effective risk management, and, provides an outsource service so you can focus on what you do best: exceeding your members’ expectations.
Contact Mike Crofts at (800) 513-6839.