Third Party Vendor Management
Presented by:
Jay Bowman, CISA, CISM
Director
September 22, 2011
Vendor Management
• Frequent regulatory findings:
– Lack of policy and procedures
– Risk assessment not performed
– Lack of ranking scheme
– Due diligence findings
– Vendor oversight issues
– Lack of senior management and Board
oversight
1
A Few Questions
• Does your bank have a vendor management
policy? A defined program?
• Is responsibility for vendors centralized?
• How many vendors does the bank rely upon for
products and services?
• Are there review processes for selecting new
vendors and evaluating current ones?
2
A Few Questions
3
Finding a Starting Point…
4
Finding a Starting Point…
5
Finding a Starting Point…
6
Finding a Starting Point…
7
Finding a Starting Point…
8
Finding a Starting Point…
9
Finding a Starting Point…
10
Vendor Management Topics
• Policy
• Responsibility
• Risk Assessment
• Selection of New Vendors
• Oversight of Current Vendors
• Reporting
11
Vendor Management Policy
• Establishes:
– Responsibility for program activities
– Triggering thresholds or characteristics
– Risk assessment requirements
– Procedures for selecting new vendors
– Procedures for evaluating current vendors
– Reporting requirements
12
Responsibility for Vendor Management
• Chief Financial Officer
• Chief Information Officer
• Purchasing Manager
• Legal
• Shared
• Other
The VM policy should fix accountability & responsibility.
13
Risk Assessment
(pre-decision to outsource)
• Potential impact on strategic goals
• Management oversight and evaluation
• Contingency plans
• Regulatory requirements & guidance
14
Risk Assessment
• Potential impact on strategic goals:
– Most vendors will not affect goal attainment
– Factors
• Unique product or service
• Key individuals
• “Significant” portion of revenues/profits
• Reputation
15
Risk Assessment
• Management oversight
– Does Management have the competence?
– Does Management have the time?
• Contingency plans
– Do others offer this product/service?
– Can it be brought in-house?
• Regulatory guidance
– What additional requirements are imposed?
16
Vendor Selection Process
• Identification of potential vendors
• Due diligence and selection
• Contract negotiation and award
17
Identification of Potential Vendors
• Trade literature
• Current vendors
• Other institutions
• Internet
• Trade association
• Other
Policy should lay out requirements.
18
Due Diligence and Selection
• Evaluation criteria
– Ranking
– Subjective vs. Objective
– Binary vs. Weighted
• Request for Proposal (RFP)
• Evaluation team
• Documentation
• Approval
19
Request for Proposal (RFP)
Advantages:
• Fosters agreement on:
– Scope of services
– Selection criteria
• All vendors on “level playing field”
• Easier to reach selection decision
• Easier to defend selection decision
20
Request for Proposal (RFP)
Tips:
• Evaluation criteria:
– “Mandatory” versus “most important”
– Weighting schemes vs. subjective
• Boilerplate
• Deadline extensions
21
Contract Award & Negotiation
• Scope of Services
• Term
• Price
• Service Level Agreement (SLA)
• Key Personnel
• Termination
• Audit Rights
• Other
22
Service Level Agreements
• Specific, measureable, auditable
• Scope of services
• Requirements of service quality
• Measurement of service quality
• Credits/penalties for achieving/failing
performance targets
• Institution’s responsibilities
• Vendor’s responsibilities
23
Current Vendor Evaluation
Frequency and scope depend on vendor rankings
and characteristics:
• Critical vendors: full scope/annually
• Important vendors: limited scope/annually
• “Commodity vendors:” may be exempt
24
Rankings Considerations
• Annual expenditures
• Processing of critical functions
• Uniqueness of product or service
• Access to customer information
• Management discretion
• Other
25
Vendor Evaluation Topics
• Financial stability
• Performance against SLAs
• Key personnel turnover
• Insurance coverage
• SAS 70/SSAE 16 (service providers)
• Disaster recovery testing & results
• Protection of customer information
26
Vendor Evaluations
Tips:
• Base evaluations on:
– Why the vendor is important
– The dimensions that carry greatest risk
• Provide for Management discretion
• Document evaluations/maintain files
27
Reporting
• Annual summary on vendor management
• Prepared by Management
• Presented to Board (or Committee)
• Covers:
– VM policy (any recommended changes)
– New critical vendors
– Summary of review of current vendors
– Other key information
28
Vendor Management Framework
Pillar 1
Pillar 2
Pillar 3
• Cost, benefits and
risk analysis
• Vendor financial
stability
• Service levels
• Identify
performance
criteria, reporting
needs and
contractual
requirements for a
vendor relationship
• Vendor’s expertise,
systems, controls
• Business continuity
• Pricing
• Information
ownership
• Vendor’s
knowledge of
relevant regulations
• Utilize institution
templates and flows
to document this
process
• Audit
• Confidentiality and
security
• Leveraging
institution
purchasing and
contracts
management
• Limits on liability
Pillar 4
• Scorecards for
each vendor
reported to Bank
management for
risk transparency
• Leverage existing
institution controls
for identification
and assessment of
risks
• Management and
Board reporting
Regulatory Guidance & Bank Requirements
• FIL-44-2008 “Managing Third Party Risk”
• FFIEC “Risk Management of Outsourced Technology Services” November 2000
• SR 00-4(SUP) February 2000 “Outsourcing of Information and Transaction Processing”
• Institution’s ”Vendor Management Policy”
29
Questions and Answers
30
Contacts
For more information, please contact:
Jay Bowman
Director, Mid-Atlantic
4900 Ritter Road
Suite 222
Mechanicsburg, PA 17055
Phone: 484.844.7132
jbowman@accumepartners.com
31