Alleviate Outsourcing Risks by Rightsizing Your Vendor Management Program

A previous version of this article was published in the August 2019  Callahan CPA Market Share Guide.

pool balls on billiard tableIn today’s highly competitive and increasingly complex banking industry, many financial institutions have placed significant reliance on outsourcing to provide a wide range of services. By doing so, however, organizations take on an additional level of inherent risk that’s become a particular focus of financial regulators in the past several years.

Focus on these third-party relations isn’t likely to dissipate soon. However, by carefully planning and developing a detailed, risk-based vendor management program specific to your institution, it’s possible to appropriately mitigate vendor management risks without overburdening valuable resources, while at the same time satisfying regulatory expectations.

This practice is commonly referred to as rightsizing and is a process that can help deliver results for your institution well into the future.

Create a Customized Vendor Management Policy

A critical first step in creating a solid vendor management program is to develop a robust and detailed policy that’s unique to your institution.

So-called over-the-counter vendor management policies are readily available for purchase, but using a one-size-fits-all approach could waste resources over time because noncritical activities can be overstated if the policy isn’t suited to your specific needs. 

Instead, your institution can spend time up-front tailoring a program unique to its needs. You’ll then be able to specifically assess risks in your third-party arrangements and define how management will monitor those risks initially, over time, and in keeping with board-established risk appetites.

Define Requirements Based on Risk

Regardless of which regulatory guidance your institution follows, time requirements spent on activities for critical and high-risk vendors far outweigh those of noncritical, low-risk vendors.

It’s essential you define expectations at each level. Specific parameters should be established for each risk classification of vendor and well-defined in terms of:

  • Contract review
  • Initial due diligence
  • Ongoing monitoring
  • Reporting and documentation requirements

A lack of definition and clarity at this point could result in low-to-moderate risk vendors needlessly classified as higher risk. This could lead to a subsequent loss of time and resources not only in the near-term, but also repeatedly over time.

Determine Documentation Standards

Whether your company is performing initial due diligence, contract review, or ongoing monitoring activities, documentation standards should be clearly established for each risk classification of vendor.

The risk classification can be categorized as low, moderate, high, or critical, with the most stringent requirements reserved for the highest risk vendors.

Failure to clearly delineate documentation requirements at each risk level could lead to inefficiencies as lower risk vendors would be subject to over documentation while adding little value to your program.

Again, this could occur not only upon the engagement of a new vendor, but also repeatedly over time as ongoing monitoring activities are performed year after year.

Create a Single Point of Ownership

Some vendor management programs are centralized through a single department, such as risk management or compliance, for example. Others are partially decentralized with vendor owners assigned at the business unit level, and the overall program oversite assigned to risk management or compliance.

Regardless of your program’s design, a single point of program ownership will help management apply policies and procedures consistently and appropriately across the organization as a whole.  

Failure to maintain program consistency could allow inefficiencies to creep into your program and go unnoticed by management.

Spending time up-front to critically assess your institution’s specific vendor management risks and uniquely tailor your program to target those risks will help you deploy resources more efficiently and effectively. 

Critical and high-risk vendors will be properly identified and receive the due diligence and monitoring efforts they require, while moderate- to lower-risk vendors can be adequately addressed in shorter time. This can free up management’s time to focus on other organizational goals.

Outsource Options

An equally important step in facilitating a vendor management program includes acknowledging your institution’s resource limits and understanding your options.

If, after careful self-assessment, you determine you don’t have the capacity to facilitate an adequate program in-house, consider looking to outsourcing options.

It may seem counterintuitive to look for a third-party solution to help manage your institution’s third-party risks.

However, legitimate outsourcing options can save valuable work hours by gathering critical and required vendor information such as:

  • Updated financial information
  • Service organization control reports
  • Proof of insurance
  • Other reports needed for ongoing due diligence

These solutions are widely available in the marketplace. 

Additionally, these services often maintain all required documentation in a single, centrally located repository that’s easy to access and can improve audit trails for auditors and examiners. 

When used appropriately, outsourced vendor management solutions can offer management significant assistance in meeting regulatory requirements in a manner that’s safe, sound, and cost-effective.

We’re Here to Help

In the past few years, the number of hours institutions devote to establishing and maintaining a comprehensive vendor management program have increased due to the increasingly complex nature of vendor relations and may now feel burdensome.

To learn more about how to set up a productive vendor management program or improve your current operations, contact your Moss Adams professional.

Related Topics

Contact Us with Questions