Keeping Track of Your Vendors
Concepts that start out simply rarely end that way, which you can see in the evolution of terminology. Take the relatively common practice of contracting with another party to provide goods or services. What began as “contract services” has morphed over time into: outsourcing, supply chain management, logistics, third-part service providers, supplier risk management, vendor performance management … well, you get the idea. Regardless of the term you choose, it all comes down to managing the risks that arise when some party (other than your company) provides you with goods and/or services.
The problem today is that we have spent more time developing creative terms to describe these risks than we have spent actively managing them. The result is that our vendor risk management practices have not kept pace with changes in the vendor-risk environment and do not effectively account for changes in how our vendors operate. Vendor risks are not static; they continue to evolve over time and our vendor risk management programs need to evolve with them. We need to take a broader view of who our vendors are and how they operate.
One place to start is to realize that your vendors face the same types of operational, technical, and financial challenges as the typical bank. For example, vendors strive to maximize advantages from changes in technology, such as the cloud, wireless and mobile. They also diversify geographically to meet financial objectives, both domestically and internationally. And they also seek to outsource internal functions for financial gain.
None of us would think it strange if a company pursued any of the above strategies for improving the performance of their business. However when that company is one of your critical or high-risk vendors, failing to be aware of these kinds of actions, and understanding how they impact the services they provide, can have serious consequences. For example, your data and systems can be subjected to previously unidentified and unanticipated risks. Or, significant regulatory exposure can result from subcontracting and/or geographic diversification.
Taking Notice of Subcontractors
Unfortunately, most vendor risk assessment programs do not adequately address these issues. According to Ernst & Young’s recently released study on supplier risk management , 73% of the companies surveyed rely on individuals in their business units to identify that a vendor has subcontracted some or all of the services they provide. Acquiring information on subcontracting is not part of their vendor-assessment process. In addition, over one-third of the companies that are notified that services have been subcontracted take no action to assess either the subcontractor or the subcontracting process.
Similar issues arise when vendors pursue geographic diversification. According to the NEO Group, the risk associated with a vendor’s geographic location is seldom included in vendor scorecards. Questions related to changes in vendor geographic locations are even less frequently included.
Including these areas of inquiry in your vendor risk assessment process is one of the easier challenges presented by these issues. What is more problematic is making sure you obtain the answers in a timely manner. Conducting vendor risk assessments is a time consuming and expensive process. A standardized approach and methodology for conducting these assessments is critical to minimizing the impact on an institution’s resources and completing the assessments in a timely fashion.
The frequency of vendor risk assessments is generally driven by the level of risk associated with the type of services provided by the vendor. Most institutions follow the recommendations in FDIC Guidance FIL 44-2008 and review critical/high risk vendors annually. This approach will adequately address the need for periodic assessments, but may not be sufficient for event triggered assessments. The FDIC Guidance states that vendors should also be reviewed whenever there is a change in the services they are providing. The need for an assessment can also be triggered by: a merger, acquisition, changes in management or a data breach. The occurrence of any of these types of events should trigger an assessment of the vendor.
Contract provisions can require that vendors proactively notify you when certain changes occur. While contracts can be modified to include such notice (if such provisions do not already exist), contract revision is a timely and expensive process – and one that still requires monitoring to ensure compliance. So while you definitely want to make sure that your vendor contracts address these issues, you also need to be able to identify the need for, and respond to, changes in the vendor’s environment that require an additional assessment. The question becomes what type of monitoring must you do to identify the need for these additional event-triggered assessments?
There are several steps you can take, in addition to proactive notification requirements, to significantly increase your ability to identify “triggering events:”
- Subscribe to a service that monitors geographic-based events. Companies that provide these services monitor for geopolitical, environmental/weather related incidents as well as incidents related to infrastructure failures;
- Monitor news services for business announcements concerning these vendors;
- Monitor changes in regulations that could impact your vendors or the services they provide;
- Monitor social media, Internet sites and discussion forums for comments related to your vendors or the services they provide.
Essentially you should include your critical/high risk vendors in the same monitoring you perform for your own institution in these areas. Determining which vendors to include requires that you strike a balance between the information obtained and the cost of gathering that information.
When weighing these decisions it is critically important that you do not undervalue the benefit of having this expanded knowledge of your vendors’ operations. Vendors now “own” many of the operational risks previously managed internally by virtue of the services they provide. There is no shared accountability when one of your critical/high risk vendors fails. An interruption or failure in their operations can have a direct impact on your ability to conduct normal business operations and damage your reputation as well. The recent RIM outage and its impact on companies that rely heavily on Blackberries represent a good cautionary example.