Part 4 Monitoring vendor soundness and performance.
This is part four of four of the Right Way to Do Vendor Management. In the first article, we overviewed vendor management as a system, with requirements about choosing the right vendor, contracting well, and measuring and monitoring vendors. In the second article, we overviewed vendor selection and choosing the right vendor. The third talked about how to contract well to better manage risk and define vendor performance. This article is about ongoing monitoring and, in particular, what you’re missing in vendor reviews.
Most credit unions think ongoing monitoring is vendor management, largely because the concept came from NCUA and FFIEC guidance. It was forced on credit unions from a risk perspective, even though it is written as a well thought out system that, done well, can drive better financial results. The focus is on tasks that can be easily measured, and in many cases has led to a mechanistic paper chase and checking the boxes mentality about vendor management that misses the point.
The ongoing monitoring guidelines actually have two parts. The first is familiar: identify your vendors, do a risk assessment, then gather and review a lot of dead documents (all looking backward in time) to magically see risk going forward. There is value in knowing more about your vendors, and comfort in knowing audits and evaluations were done, but there are some things you can do to prospectively mitigate risk.
Start with a complete vendor inventory. We recommend you don’t look at a partial vendor list to “pre-determine” what vendors are critical, then focus on just those. Instead, best practice is to identify all of your vendors (and all means all) and do a risk assessment to define the inherent risk of working with each of the vendors.
From the risk assessment, rank your vendors into three categories like critical, important, and exempt. (There is no requirement to have a fourth category for “high risk vendors.”) Then gather the critical vendors’ due diligence documents, including internal control evaluations or audits (the SSAE 16 or 18), financial statements, and insurance information.
You then apply any control considerations (your internal fixes to identified vulnerabilities in the vendors’ systems, usually from the audit), then re-assess the vendors to understand your residual risk. The residual risk is the list of the things you need to watch while working with the vendor. Of course, if you’re in year two of a five-year contract and see something you don’t like, there isn’t much you can do.
For many credit unions this is the sum of the entire program. The use of dead documents and backward-looking documents is of uncertain value, but NCUA can examine this, see the work is done, and so everyone gets to check the box.
However, the other part of the monitoring guidelines can add real value. Credit unions are more dependent than ever on vendors to deliver products and services to members. Think about it: debit card processing, credit card processing, internet banking, mobile banking, and bill pay are all critical services credit unions provide to be competitive. Ask who gets blamed if, say, a member’s debit card transaction is denied? Who gets blamed if mobile banking doesn’t work?
Credit unions work hard to make sure staff deliver friendly, efficient, and timely service, but forget about vendors. It’s all too common to accept that computer systems regularly break down. But if you’re getting blamed for it, shouldn’t you do something about it? That’s where part two of the monitoring guidelines come in and provide killer guidance: measure the vendor’s performance.
Of course, you followed our recommendations about how to negotiate contract terms so you have meaningful service level agreements in your vendor contracts, but you still need to check to make sure you’re getting the performance you require, and then raise holy hell if you’re not getting it.
This part should be the ultimate step in your vendor management process, because a failing vendor hurts you. If the problem isn’t resolved your next step is to start the process over: select the right vendor to replace the one that is failing. It’s your future and the guidelines are “spot on” in defining how this can work to your benefit.
Once you define your requirements – the results – and contract to get them, together with a measurement device that you check, you can begin a vendor management program that is really about vendor lifecycle management, one in which you’re in control of your own fate.
Think different, think bigger, about vendor management. Vendor management is a system that’s used in other industries to reduce expenses, improve vendor performance, and manage risk. Credit unions that apply this system approach to vendor management will do well in good times and bad, and, have a bright future. Those that overpay vendors and waste dollars on systems that are never fully implemented, only to cause member frustration, should start looking for merger partners.
Maple Street, Inc., is the provider of the Vendor Advantage System® and the only complete vendor relationship management system. Maple Street delivers lower expenses, improved vendor performance, and effective risk management, and provides an outsource service so you can focus on what you do best: exceeding your members’ expectations.
Contact Mike Crofts at (800) 513-6839.
Michael Crofts, President,
Maple Street, Inc.