Increasing regulatory oversight affects the management of third-party relationships, but process automation can enhance the ability to conduct vendor management
For financial services providers (FSPs) banks, brokerages, insurers vendor management became an important issue in 2002. Today, these companies are trying to determine the best way to accomplish their vendor management objectives.
In late 2001, regulators such as the Office of the Comptroller of the Currency (OCC), Federal Financial Institutions Examination Council (FFIEC) and the Federal Deposit Insurance Corp. (FDIC) stepped up their emphasis on the risks inherent in reliance on third-party vendors. In parallel, the Basel II Accord was revised to specifically identify the issue of operational risk. Why?
A confluence of factors drove the change, such as weakened vendor balance sheets, an increased use of technology suppliers, new forms of business process outsourcing and the Gramm-Leach-Bliley Act (GLBA) of 1999, which served to facilitate affiliation among banks, securities firms and insurance companies.
While regulations might deter your use of third parties, FSP's rely heavily on suppliers to support their evolving business missions, such as new product innovation and administrative cost reduction and for good business reason.
For example, a bank offering a new equity line of credit product will likely rely on third parties for such things as home value appraisal, consumer credit ratings, marketing print design, radio and TV advertising, mail order fulfillment and mailing lists. Many of these parties will touch sensitive consumer data, and any resulting negative issues will reflect poorly on the bank itself. Therefore, sound vendor selection and management practices are essential parts of "good business," ensuring that FSP's needs are met by useful solutions at fair prices from viable suppliers.
Although compliance to the "letter of the law" may be the primary objective, this issue provides an opportunity to transform vendor management into a renewed value driver for your organization.
So, where are we now?
During 2002 and 2003, most institutions determined what vendor management policies were appropriate, and it's now time for those companies to assess the best way to implement these new processes. Many are considering automation as the best way to ensure compliance. For the first time, software packages are available to easily define, manage and optimize these important processes.
Types of Vendor Risk
Vendor risk is not a "one size fits all" proposition. Rather, the context of a particular vendor relationship determines the type of risks to assess and their relative significance. Further, risks change and evolve over the life of any relationship, requiring constant adaptation.
Examples of risk that could be appropriate to consider include:
1. Operational risk. This type of risk includes the impact a performance failure on the part of the vendor would have on an enterprise, such as if an enterprise outsourced a mission-critical back-office process and the vendor failed.
2. Financial viability risk. A vendor's financial viability should be considered, especially if the duration of the contractual relationship is long and/or there is volatility in the industry in which the vendor resides; hi-tech comes to mind.
3. Offshore risk. Offshore systems development and maintenance can be a compelling cost reduction opportunity. However, countries can become embroiled in political instability or even conflicts with neighboring countries.
4. Business continuity risk. Vendors must demonstrate appropriate policies and procedures to ensure continuity in the event of disasters and other material adverse events.
5. Capability risk. Relying on a vendor with limited experience in delivering similar solutions carries a risk versus using a proven (but perhaps much more expensive) provider.