The Regulatory Impact on Vendor Management

Increasing regulatory oversight affects the management of third-party relationships, but process automation can enhance the ability to conduct vendor management

For financial services providers (FSPs)  banks, brokerages, insurers  vendor management became an important issue in 2002. Today, these companies are trying to determine the best way to accomplish their vendor management objectives.

In late 2001, regulators such as the Office of the Comptroller of the Currency (OCC), Federal Financial Institutions Examination Council (FFIEC) and the Federal Deposit Insurance Corp. (FDIC) stepped up their emphasis on the risks inherent in reliance on third-party vendors. In parallel, the Basel II Accord was revised to specifically identify the issue of operational risk. Why?

A confluence of factors drove the change, such as weakened vendor balance sheets, an increased use of technology suppliers, new forms of business process outsourcing and the Gramm-Leach-Bliley Act (GLBA) of 1999, which served to facilitate affiliation among banks, securities firms and insurance companies.

While regulations might deter your use of third parties, FSP's rely heavily on suppliers to support their evolving business missions, such as new product innovation and administrative cost reduction  and for good business reason.

For example, a bank offering a new equity line of credit product will likely rely on third parties for such things as home value appraisal, consumer credit ratings, marketing print design, radio and TV advertising, mail order fulfillment and mailing lists. Many of these parties will touch sensitive consumer data, and any resulting negative issues will reflect poorly on the bank itself. Therefore, sound vendor selection and management practices are essential parts of "good business," ensuring that FSP's needs are met by useful solutions at fair prices from viable suppliers.

Although compliance to the "letter of the law" may be the primary objective, this issue provides an opportunity to transform vendor management into a renewed value driver for your organization.

So, where are we now?

During 2002 and 2003, most institutions determined what vendor management policies were appropriate, and it's now time for those companies to assess the best way to implement these new processes. Many are considering automation as the best way to ensure compliance. For the first time, software packages are available to easily define, manage and optimize these important processes.

Types of Vendor Risk

Vendor risk is not a "one size fits all" proposition. Rather, the context of a particular vendor relationship determines the type of risks to assess and their relative significance. Further, risks change and evolve over the life of any relationship, requiring constant adaptation.

Examples of risk that could be appropriate to consider include:

1. Operational risk. This type of risk includes the impact a performance failure on the part of the vendor would have on an enterprise, such as if an enterprise outsourced a mission-critical back-office process and the vendor failed.

2. Financial viability risk. A vendor's financial viability should be considered, especially if the duration of the contractual relationship is long and/or there is volatility in the industry in which the vendor resides; hi-tech comes to mind.

3. Offshore risk. Offshore systems development and maintenance can be a compelling cost reduction opportunity. However, countries can become embroiled in political instability or even conflicts with neighboring countries.

4. Business continuity risk. Vendors must demonstrate appropriate policies and procedures to ensure continuity in the event of disasters and other material adverse events.

5. Capability risk. Relying on a vendor with limited experience in delivering similar solutions carries a risk versus using a proven (but perhaps much more expensive) provider.

6. Legal risk. GLBA, for example, proscribes clear protections of customer data. Whenever customer data is shared with a third party, adequate security and protection procedures on the part of the vendor must be validated.

What Vendor Relationships Are Subject to Oversight?

Although other types of third-party relationships might be implicated, research suggests two primary sets of vendors that are subject to regulatory oversight. Benchmarking conducted with leading institutions has shown that a substantial number  between 50 and 400  of vendor relationships fall under the following categories:

Suppliers providing technology in support of core business processes
When you stop and consider it, your "information technology supply chain"  meaning the aggregate of software, hardware, telecommunications services, consulting and other services vendors  is the basis for most of your business-critical processes. Therefore, these vendors' performance is inseparable from your ability to run the business.

Suppliers performing functions on your behalf, such as outsourced business processes
Outsourced processing, such as automated clearing house (ACH), call centers, bill presentment, and back-office clearing, amount to reliance on these vendors to perform business-critical functions. The growing trend toward outsourcing more business processes with a larger number of niche suppliers means greater vigilance is appropriate.

Key Principles of Vendor Management

Auditability
Regulators will put the burden of proof on member institutions. It's not enough to have the right processes in place to manage your vendors. You have to prove it.

Many supplier interactions are undocumented or contained in disparate systems. It's hard to gather the basic data in support of an audit. Combine this with the numerous stakeholders involved and you encounter a situation where preparing for an audit is a huge undertaking.

Consistency
Another basis of accountability to regulators is the consistent application of the vendor management process. Lapses in applying the processes will be examined by regulators and flagged for corrective action.

What's especially challenging is the cross-departmental nature of supplier interaction. Consider how the stakeholders in legal, audit, procurement, line-of-business, risk and corporate finance all come together to collaborate on a common, defined process.

Linking Due Diligence with Ongoing Assessment & Audits
The continuum between vendor selection and vendor relationship management is important. Those risk factors that you consider during due diligence become the risk factors by which you must measure the vendor over the life of a contract. As the situation changes, risk scoring should be compared to a baseline that was established up front, before a vendor was even selected. In this way, periodic risk audits will provide the early detection that ensures corrective action is taken.

Potential Points of Failure

Institutions have documented their vendor management policies and gained the blessing of regulators. However, there is a false sense of security in letting the process end with a written document.

As you consider whether automation and strong process accountability is right for your company, evaluate the following risks to compliance:

* Lack of continuity between due diligence and ongoing oversight
* Assuming a paper-based policy will be followed
* Not considering the challenges of decentralized stakeholders

Automation to Ensure Compliance and Create Organizational Value

Automation Opportunities
In order to mitigate risks associated with vendor selection and management, FSP's should consider automating the vendor selection and management processes. An enterprise system ensures:

" Auditability. You can prove you conducted the proper activities. All activity is captured, documented and easily retrieved thereafter
Process linkage. Each step in the selection and management processes is correlated and linked
Collaboration and visibility. All internal stakeholders have direct access to appropriate information about the process
Flexibility. Systems map to your particular business structure, be it centralized or decentralized procurement governance.
Standards and reuse. Required practices are defined and applied repeatedly (e.g., in templates)
Task Management. Responsibilities for processes and tasks are easily defined and managed
Best value vendor selection. The assessment of a large number of supplier attributes across quantitative and qualitative measures is facilitated such that no meaningful attribute is neglected and objective/subjective factors are included
Supplier performance metrics. Selection attributes and any other performance measures are defined such that they can be measured and documented over the life of the contract. Contract terms are visible to all stakeholders.

What Can Happen Without Automation? A Due Diligence Example
An FSP decides to offer a new small-business credit card. Based on a marketing campaign, the FSP expects significant inquiries in response to the solicitation.

The process follows these steps:

1. The FSP determines that a call center needs to be established that can: a.) deal with the high inbound call activity and b.) properly describe the differentiated features of the credit card offerings.

2. The provider initiates a search for a third-party provider to perform this service for a period of one year. The provider must be in place within seven weeks because the marketing campaign is already in its final planning phase.

3. A selection team is formed, comprised of collaborators from product marketing, legal, finance, risk, information technology and purchasing functions.

The FSP's team encounters several challenges that could compromise risk principles:

* Urgency based on an imminent marketing campaign launch
* Scheduling meetings and effectively collaborating across the diverse set of stakeholders
* Difficulty documenting the evaluation criteria that will address each constituent's needs while balancing risk
* Temptation to accept vendor capabilities without actual verification (such as site visits, background checks, financial record review)
* Numerous unstructured discussions with the vendors, resulting in a volume of undocumented e-mails, files and phone conversations
* Attrition on the selection team due to resignation of a stakeholder
* Inability to effectively assess and respond to the volume and depth of all proposals

As you can see, this situation presents many threats to conducting appropriate due diligence that balances business need with risk and produces an auditable outcome.

Financial services providers face a daunting task in trying to balance the dual objectives of maintaining compliance and delivering business value.

Automation solutions are now available to enable these objectives in the face of complex sourcing events, numerous internal stakeholders, decentralized buying and a variety of services and goods being sourced.

About the Author: Marc Osofsky is vice president of marketing and business development at Frictionless Commerce, an enterprise sourcing software company based in Cambridge, Mass.

References

Office of the Comptroller of the Currency, Bulletin OCC 2001-47, Third-Party Relationships, November 1, 2001

Office of the Comptroller of the Currency, Bulletin OCC 2001-31, Weblinking, July 3, 2001
Federal Financial Institutions Examination Council, Risk Management of Outsourced Technology Services, November 28, 2000

American Bankers Association, Financial Modernization: the Gramm-Leach -Bliley Act Summary, November 12, 1999

Financial Services Roundtable/BITS, BITS Framework: Managing Technology Risk for Information Technology Service Provider Relationships, August, 2001