There is temptation in the world of management. With regulatory scrutiny increasing and cost a concern, free vendor management checklists seem like an easy solution. But is that free checklist going to cost you down the road?
My experience says yes.
Free vendor management checklists are a disaster waiting to happen. From misclassifying vendor risk and misallocating resources to failing to provide an actual process for execution, vendor management checklists lack the nuance needed to help an institution efficiently and effectively manage vendor risk.
Let’s look at some of the biggest pitfalls:
It’s not tailored to your structure or processes.
Checklists are designed for the “average” institution. It’s a statistically abstract concept that doesn’t exist in the real world. Chances are your institution is bigger, smaller, more rural, more urban, more deposit heavy, more loan heavy, more technologically advanced, more conservative, more open to risk, or more dependent on mortgages than the average institution.
Regulators understand this variance.
That’s why they allow for flexibility in how vendor management is executed. Every institution is free to develop its own structure and processes tailored to its size and complexity. Your institution may have a chief risk officer and choose to use committees, or it may be a smaller operation with someone handling vendor management on a part-time basis. A checklist offers a one-size-fits-all approach that isn’t likely to be an ideal fit. You can end up spending too much on an overkill process or implementing an oversimplified structure inappropriate for your size and complexity. Both of these are big problems.
Its broad definitions of critical vendors can steer you wrong.
There is no master list of critical vendors. A checklist might encourage you to make a data storage vendor a critical vendor, but if your institution only uses that vendor to shred documents through an onsite intranet, that’s probably overkill, and it is a waste of resources that would be better spent on real critical risk vendors. It might also cause you to mislabel a vendor as low risk when your institution’s unique circumstances make it a critical vendor. For example, if geography limits vendor availability and the institution has just one choice, an otherwise ordinary vendor may become critical. You don’t want regulators pointing out a missed critical vendor, or the missed vendor not being able to recover from a storm that brings the institution’s operations to a halt.
Falling short on due diligence and monitoring.
Put too much faith in a free vendor management checklist and you can easily fall short on due diligence and monitoring. A checklist is essentially a to-do list. It can provide an institution with an initial set of marching orders, but that’s where it ends. It doesn’t show you how to get the job done, how far along in the process you are, or store your contracts, due diligence documents, and other information in a centralized place. It can’t remind you that a renewal deadline is approaching or that the institution still hasn’t received a vendor’s SSAE 18 form. You’ll still need a system for carefully tracking and regularly monitoring vendor management processes and documents.
There’s no audit trail.
Even if you manage to accomplish every item on the list, checkmarks aren’t exactly exam-ready documentation. You still need to develop a system to track every step of the vendor management process, including planning, risk assessment, due diligence, contract negotiation, ongoing monitoring, and termination. This is a huge undertaking since vendor management involves every level of the institution from board and management to employees. If it’s not documented, regulators will say it didn’t happen.
Different regulatory expectations.
Each of the regulatory agencies has slightly different expectations for vendor management. For instance, the Federal Reserve expects banks to specifically consider concentration risk when considering new vendors and managing existing ones, while other agencies include it under operational risk. The Office of the Comptroller of the Currency wants a system in place to integrate enterprise risk management (ERM) and vendor risk management. A generic checklist is unlikely to align with your regulator’s preferences.
Vendor management is about more than lists of critical vendors and vendor reports. It’s about understanding the choices and decisions an institution made in selecting a vendor and in actively choosing to continue its relationship. It’s about utilizing vendors that can be relied upon to represent the reputation of the financial institution. It’s documenting the justification for each decision and providing proof that the appropriate managers reviewed and approved it. It’s showing an institution’s approach to risk and how a vendor fits. It’s having the resources to analyze reports, monitoring efforts and vendor data to understand the risks in working with third parties. A free checklist simply doesn’t provide the board and management the necessary tools and processes to ensure continued vendor management compliance and continuity. Choosing a free checklist over a system that enables your institution to understand how to best manage vendors in a way that complements the institution’s size, complexity, and processes is a mistake. A mistake that can cost your bottom line or even get you in trouble with regulators.
You really do get what you pay for.