Does Vendor Size Matter?
Sometimes, but it doesn’t replace the need for vendor risk management
Some institutions try to simplify vendor management by picking the biggest vendor in each category. Going big lets them play it safe—or so they think.
But choosing the largest vendor is no replacement for solid vendor management.
Big vendors can offer a lot of benefits. They are traditionally stable, making them appealing for long-term relationships such as core processors. They are typically in good financial health and have a lot customers meaning they are experienced with the market.
But bigger doesn’t guarantee better. That’s why every critical vendor needs the same level of due diligence whether it’s big or small.
Just look at the guidance. The OCC says a bank needs to conduct due diligence so that is “selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.” The OCC doesn’t care about size. It cares about risk.
They key word here is critical. While some bankers think choosing a big-name vendor might get them off the hook for vendor management, other institutions are overzealous in their vendor management, failing to recognize the difference in managing a critical vendor verse a low-risk vendor, according to an article in The Wall Street Journal, “Banks Ramp Up Vendor Security.” Third-party vendors are being inundated with questions about cyber and data security, the article notes, even relatively low risk firms. This creates extra work for both institutions and their vendors.
The solution is a well-constructed and executed vendor management program. Whether you choose a large stalwart or an upstart vendor, make sure you have a solid vendor management program in place to justify your choice to regulators and appropriately deploy vendor management resources. From business continuity and data security to financial health and compliance culture, show that the vendor you’re choosing is worthy of your institution’s trust and that you’ve considered the risks.