8 Must-Dos for Vendor Management
Anyone in banking knows that vendor management can be a daunting task. It’s something we hear a lot about within the CBANC community as many FI professionals don’t even know where to start! So, in the spirit of simplifying the process (and help folks keep from second-guessing themselves), we pulled together a quick checklist–”8 Must-Dos for Vendor Management.”
1) Identify your vendors. This seems self explanatory, but I talk to so many people who aren’t sure which vendors to track. This will be completely up to your FI based on your own policies and procedures. Here are some guidelines:
a) Get a download of any vendor you’ve paid in the past 2 years. Next, go through and check off any vendor that you have a contract with. All of these should be included in your VM program.
b) For those that don’t have a contract…determine whether you think there should be one. Do you pay them on a consistent basis for services rendered? If so, you probably would like to have some sort of contract in place even if it’s just a customer form.
2) Get all of your contracts scanned, centralized, and organized. We talk to so many FIs who still have all of their contracts in paper format. NO, NO, NO. One fire, one accidental shred, one “clean desk policy” move where it ends up in the trash. You need to get all of your contracts onto a platform that has multiple backups. If your own server has multiple backups, great. If not, please consider using an outsourced solution where it’s the company’s JOB to keep your information backed up and secure.
3) Conduct vendor risk classification (aka risk assessment). Next you need to figure out which vendors are critical/high risk to your FI and which just require occasional oversight. There are a lot of different risk templates you can find on cbancnetwork.com that have been shared by your peers. You can also use CBANC’s new risk assessment application where you can do it all online and then access these reports anytime. The key is that you’re following the regulation outlined by your respective regulator.
4) Review and report. For critical and high risk vendors, you should be reviewing these annually and providing a report to the board. For your medium and low risk vendors, it is completely up to you how often you review. Some FIs have more formal processes where mediums are reviewed every other and lows every third. Others only review when something has changed. Whatever you decide to do, please ensure that it’s documented in your policy. The more you define the better!
5) Collect other due diligence materials for critical/high risk vendors. You should be collecting financials where available and reviewing the financial stability of the company. If the vendor has a SOCI or SOCII available you should be collecting that and reviewing it annually as well. You should also collect business continuity (including disaster recovery) plans, insurance certificates, and any other diligence documents you think are relevant or the vendor is willing to offer to you.
6) Create an executive summary on the health of each vendor relationship. You should have this in one clean report that you can present to your board and your examiners. (Psst! Did you know that CBANC has ready-made templates for you to use?)
7) Keep monitoring! Ensure you are constantly monitoring your vendors throughout the year. A lead relationship manager should be identified for every vendor. That manager should periodically collect feedback from any employee who touches this vendor. Track things like, customer service (quality and timeliness), training provided (if necessary), quality of the product/service they’re providing (is it still performing they way it did when you on-boarded this vendor), customer complaints in regards to interacting directly/indirectly with this vendor. Also, for technology vendors there’s a whole list of other things you should be tracking (penetration testing reports, downtime reports, etc.). Another part of vendor monitoring is tracking their reputation with peers (users groups,, casual conversation). You should also always be keeping your eye open for other vendors who provide this service. If you’re always up to speed on the industry your job is a lot easier when contracts come up for renewal or you run into a major issue with your current provider.
8) Write down your VM policy. Now that you’ve got your VM ducks in a row, you should document all the details! Write down a comprehensive policy that addresses all parts of your vendor management program. This should be reviewed annually to ensure it stays up to date and accurate. Outline all steps clearly and concisely, and be sure to use definitions and metrics where you can (who, what, where, when, why, how). Be sure to include titles of those responsible for each step and outline how the sign off process is documented and reported to responsible parties. Want to see examples of other vendor management policies? Check out the CBANC community for free access to tried-and-true VM policy docs from your peers.
And if you’re in need of a lightweight VM tool, consider checking out CBANC’s vendor management application (starting at only $100/month!).