The Risk in Vendor Risk Management
As we navigate the fallout of the worst financial crisis since the Great Depression, focus on the rapidly changing threats to information security, radically improve compliance infrastructures to support regulatory imperatives and work out new and sustainable business models, it almost seems unfair to throw another area of concern at banks.
Unfortunately, for those who would like a quieter life, I’ll argue that the management of key vendor risks must also be addressed. Historically, this area has demanded little attention outside procurement specialists and generally has not inflicted major earnings or reputational hits to institutions. Yet, vendor risk management (VRM) needs sustained and comprehensive improvements if banks are to fully their implement enterprise risk management (ERM) programs.
As always, the first challenge to action is being aware of the risk. Many banks only associate vendor risk with formal outsourcing arrangements. While this is comforting, it is not reality.
Take a bank’s data center as an example. Most of us would agree that the data center, or modern day bank vault, as I like to call it, stores pretty much every piece of organizational and client information that has value and needs to be managed and protected. It provides the infrastructure that allows the bank to operate – and if you don’t believe me, try running a modern bank without IT. As a result most large banks manage their own centers and critical infrastructure.
When we look a little closer, however, we find that all the hardware, systems software, power systems and many of the business applications in data centers are provided by vendors. All these components need monitoring, maintenance, upgrades and integration. So it is impossible to operate the data center without relying on vendors, all of whom will have access to (or potential access to) the critical information infrastructure. Who can argue that this risk should not be properly managed?
Beyond critical infrastructure, nearly all banks use vendors for some product distribution, professional and legal advice and the provision of information to support critical hiring (background checks), lending (credit bureaus) and trading (market data feeds). So, whether banks are involved in formal outsourcing or not, vendors are critical for to their operation.
The second challenge is that there is considerable room for improvement in existing vendor management policies and practices. The lack of awareness of the importance of VRM has resulted in this area primarily being the domain of procurement rather than business or risk executives and these procurement teams often nestle far down in the organizational charts with little influence over vendor strategy and risk – after all, who ever got to the top of a bank managing vendors? This results in an excessive focus on contract financial terms with insufficient attention paid to many of the other risk factors that need to be managed, such as service, continuity and information security.
Finally, whether banks accept it or not, the regulators are demanding improvements in VRM. In their supervisory work, they see how key vendors – often the same vendors across many banks – are critical to the management of operational processes and the provision of key information. These observations are now fully available to audit and risk committees and often formalized in supervisory Matters Requiring Attention (MRAs).
Dimensions of Risk
So, whether we accept the need to improve vendor risk management or have it imposed upon us, the key issue is how to respond. Before enhancing existing policies, procedures or skills, it is vital that we acknowledge all the potential dimensions of vendor risk. Most of us are familiar with financial risk – that the vendor may go out of business or that they may not have the ongoing capacity/skills to deliver the agreed services. To these we must add the following questions:
- Does the vendor have adequate backup arrangements available to avoid causing the bank service disruption? (Continuity Risk)
- Do they have any particular business practices or public positions that could damage the bank’s brand? (Reputational Risk)
- Does the vendor exhibit an unnecessary risk in regard to a particular location or country? (Concentration Risk)
- Do any of the vendor’s operations expose the bank’s data to being lost, stolen or amended? (Information Security Risk)
- Do the vendor’s operations comply with all key regulations? (Compliance Risk)
It is clear from this wide range of potential risks that no one individual or team can adequately address all issues and construct a full-proof contract and relationship. Each bank will likely have its own organization and governance structure for managing vendor risks but for completeness they should cover:
- Comprehensive policies and procedures that establish clear accountabilities for the respective functions throughout the lifecycle of a vendor relationship.
- Risk models to ensure all assessment and monitoring activities are focused on the relationships most critical to the bank. In categorizing vendors by relative risk, banks typically rank 15% as high, 25% as medium and the rest as low risk. That said, the trend is to increasingly identify a higher proportion of high-risk vendors.
- Active monitoring of both the service and risk performance of the vendor. Typically these responsibilities are split between the Operations and Risk areas.
- Technology and information to improve the efficiency of the VRM process and to ensure accurate and timely reporting.
- Oversight and governance, typically through the bank’s Operational Risk Committee, to ensure adequate reporting, issue identification and escalation and policy adherence.
Having been through one of these processes, I can attest to the amount of work involved in significantly improving VRM, which involves nearly all areas of the bank and naturally competes with other critical work. That said, as banks have become increasingly information-intensive and less reliant on their own bricks-and-mortar for operations and distribution, they have become more reliant on vendors and the risk associated with these must be addressed alongside other key risks.
As banks engage on this process they, and the regulators, will likely discover some unforeseen information and consequences. Some of these findings will assist them in their commercial arrangements and some may not. For example, banks will discover how many vendors they have and the level of duplication in their portfolio. Funding comprehensive VRM will likely necessitate a reduction in vendors but also provide more accurate information on performance and risks to improve the bank’s negotiating position.
As the bar is raised for vendors for performance, this is likely to reward the larger players who already have this infrastructure in place and can afford to refine and improve it. It will clearly be a challenge for small and developing businesses to establish these extensive risk management procedures without the scale of business to defray the costs, although such anti-competitive trends will likely catch the attention of policy makers.
Assuming the trend towards fewer, larger suppliers holds true, how does this drive negotiations with those vendors? For many of the major vendors, it’s not a question of whether you will do business with them but rather how much business. This implies a need for greater skill and nuance in negotiating contracts and relationships.
Finally, the concentration of suppliers has regulatory compliance implications. As we seek to protect the banking industry from unwelcome threats and intrusion, it’s clear that as much, if not more, damage can be done through “attacking” the major banking vendors as the banks themselves.