Vendor Management Best Practices: Is Your Program Up to Par?
4 likes2,530 views
The document discusses the importance of third-party oversight and governance in the context of the financial crisis of 2008, highlighting renewed regulatory focus on vendor accountability. It outlines key expectations for managing vendor relationships, including risk classification, due diligence, compliance audits, and effective governance structures. The aim is to promote a more mature vendor management program within financial institutions to mitigate risks and ensure consumer protection.
Vendor Management Best Practices: Is Your Program Up to Par?
- 1. 1 Copyright 2015©, All rights reserved, 3W Partners LLC August 12, 2015 Sponsored by… Scott Roller
- 2. 2 Principal & Founder – 3W Partners LLC 25 Years – Fortune 500 Companies • Telecom • Financial Services Leadership Roles in • Global Vendor Management • Ops / Strategy / Re-engineering • Outsourcing / Training TL9001 (“ISO for telecom”) • Certified Lead Auditor Regulators Gov’t Entities Ratings Agencies Others OCC, OTS, CFPB Fannie, Freddie, GAO Moody’s, Fitch, S&P ISO, Accounting firms Audited by…
- 3. 3 Brief History Why the intense focus on vendors? What led us here? Changing Landscape Financial Crisis ~2008 Vendor management Prior to… and Now Heightened regulator focus areas What Regulators Expect 12 Key Dimensions Good resources to self-educate Technology & Tools Increase you chances of success Third-Party Oversight & Governance (TPOG)
- 4. 4 Financial Crisis 2008 Vendor focus very limited: • Business continuity • Financial strength • Credit risk Prior to the Crisis Activities were outsourced • Unfortunately, so was vendor responsibility and accountability Vendors seen as a major contributing factor to the crisis Post-mortem Inadequate oversight from financial institutions Hidden risks when relationships are not managed closely Resulted in massive fraud and consumer distress
- 5. 5 Regulators have a renewed focus on third-party oversight Regulatory Response to the Financial Crisis OCC CFPB Federal Reserve Board FDIC NCUA Considerable Attention Institutions must bear responsibility for supplier misdeeds • Numerous “casualties” already Major focus on consumer interaction with vendors Enterprise-wide engagement, especially executives Push for independent reviews Will focus on 12 Key Dimensions today
- 6. 6 What I often see within the industry Programs are not overly mature Financials Continuity of business Data and site security Hard to budget for vendor risk management Led by single group Versus cross-section of the enterprise Not part of larger enterprise-wide Risk Program Minimal investment In Smaller Organizations Lack of manpower Inadequate skills Problems often tied to 2nd tier vendors Have we learned anything from the financial crisis?
- 7. 7 Recent examples… and consequences Collectively, they paid a total of more than $530 million to settle complaints of deceptive selling and predatory behavior by their third-party suppliers. Source: http://www.mckinsey.com/insights/risk_management/managing_when_vendor_and_supplier_risk_becomes_your_own July 2013 Net Message: No one ever remembers the vendor name
- 8. 8 OCC CFPB Federal Reserve Board NCUA FDIC On Third-Party Oversight & Governance OCC Bulletin 2013-29 Supervisory Letter No.: 07-01 Letter: Guidance For Managing Third-Party Risk Bulletin 2012-03 Service Providers SR 13-19 Guidance on Managing Outsourcing Risk Fortunately, expectations resemble one another • OCC Bulletin 2001-47 • OCC Bulletin 2002-16: Foreign-Based Third-Party Service Providers • FDIC Compliance Manual, December 2012 • FIL-44-2008: Guidance for Managing Third-Party Risk • FIL-50-2001: Bank Technology Bulletin: Technology Outsourcing Information Documents • SR 00-4 (SUP): Outsourcing of Information Technology and Transaction • Processing
- 9. 9 Risk Classification Due Diligence On-Boarding Contracts Compliance Audits MIS / Reporting Scorecards Annual Certifications Complaint Handling Escalations Governance These cover most regulatory expectations Execute these well… satisfy your regulator(s)
- 10. 10 Risk Classification For effective third-party oversight Risk-based segmentation Scope and intensity of oversight is defined here Must consider risks to… • Legal & Regulatory • Reputation • Sensitivity of data • Process complexity • Customer interface/impact • Public or private vendor • Domestic • Offshore • Core Bank Function • Non-Core • Number of similar suppliers • Percent of volume handled Other Considerations • Strategic (High) • Major (Med) • Basic (Low)
- 11. 11 On-Boarding Due Diligence Assess the process of how suppliers are… • Sought • Vetted • Selected (and retained) Consider vendor questionnaire and evaluation matrix Have a plan to implement the vendor relationship • Technology, telecom, recruit, train (including compliance), etc. Critical: System Entitlements • Limit vendor access to only what is “required” • Have a revocation process o Consider revoking within 24-hours of leaving
- 12. 12 Contracts Regulators have specific expectations regarding vendor contracts Examples of often-overlooked clauses: • Use of subcontractors • Termination for default • Compliance with laws • Privacy policy (sensitive info) • Electronic Transportable Media • Right to audit • Licensing • Indemnification • Notification of complaints • Handling of media inquiries • Service level monitoring • Limitation of liability • GSA “Excluded Party List” • HUD’s “Limited Denial of Participation” What is required of you … Is also required of ALL members of your “supply chain.” Make it contractual.
- 13. 13 Compliance Audits Identify all relevant compliance requirements and document how requirements are being met Regulatory updates and change management process effectiveness • Flow down to vendors (operations, contracts, scorecards, etc.) Do your vendors... • “Say what they do?” (via Policy & Procedure Manual) • “Do what they say?” (can vendors demonstrate it?) Have an audit schedule and comprehensive plan Ensure risks are documented and controls are in place. • Strategic (High) • Major (Med) • Basic (Low) Risk Classification • Twice per year • Once per year • Every other year “Potential” Audit Frequency
- 14. 14 MIS / Reporting Scorecards You need timely and effective reporting in all supplier relationships. Demonstrate you have sufficient visibility and control. Hard to achieve safety and soundness without robust reporting Identify key performance indicators (KPI)s, track and report on them. Document vendor improvement plans. • Drive accountability. Regular reviews. • Evidence of follow-up and actions o Warning notices o Training, certification o Volume adjustments o Expanded or decreased scope of work
- 15. 15 Annual Certifications Re-certify vendors annually. No more • Financials • Licensing • Insurance • Data security • Capacity / Staffing • SLA performance • Process reviews • Compliance • Customer impact • Fees & incentives • Use of subcontractors • Training (especially compliance) • Business continuity • Audit results • Complaints • Media attention • Pending litigation • Mergers & Acquisitions • Ownership changes • Compensation practices Very labor intensive dimension Keeping up with all changes: Yours, vendors, regulators, etc. • Assessing the impacts annually, at minimum. Due Diligence
- 16. 16 Complaint Handling Requires an effective method of capturing, responding to and resolving complaints. • Especially where suppliers are involved. Complaint source and severity: Major, Moderate, Minor. Linkage of root cause back to the operation. Report to senior leadership. Escalations When supplier problems arise, must have effective identification, escalation and management of issues. Escalate to appropriate levels. Special review committee? Examples: • Bad press • Multiple system outages • Multiple complaints • SLAs repeatedly not met • Downgraded financials • Fraud event • Audit findings Define your future reactions
- 17. 17 Governance Senior executive and/or Board Member engagement • “Fingerprints everywhere” o Drive and approve policy o Monitor vendor platform (via regular readouts) At-will access to vendor results o Sign-off on vendor selection and recertification (and action/exit) o Audit trail of their engagement Proposed: Two Tier Governance Model Executive Committee Operations Committee Drive Vendor… • Performance / Quality • Control & Compliance • Risk & Change Mgmt. • Audits • Volume Allocations • Contingency plans Sets “TONE at the TOP” • Strategic Alignment • Risk appetite • Policy • Verify adequate oversight • Ask questions • Approve, Suspend & Terminate
- 18. Extremely useful when managing vendors and risks Centralized repository; Security Portal for easy access Clear, actionable management reports and well-designed workflow systems • Essential for accountability across the institution Measure your level of dependence on critical suppliers Build vs. Buy Building a new third-party risk application from scratch is a big undertaking; • So too is enhancing a current risk tool to perform new functions Consider “off-the-shelf” workflow and risk-management tools 18
- 19. Healthy, transparent and compliant Consistency across vendors • OK to manage according to risk segmentation Documentation • Policy & procedure; Roles & responsibilities • Audit trail Performance based criteria Adequate staffing for oversight • Number of resources • Skill and competency Executive engagement • “Fingerprints everywhere” 19 Third-party relationships must be good for financial institution, its vendors and consumers Leverage technology where possible
- 20. 20 Questions? Scott Roller Principal / Founder 3W Partners LLC scott@3Wpartners.net 636.448.3713 cell www.3Wpartners.net Sponsored by…