Banking and the world of risk and compliance management are chock full of jargon, concepts, terms, and acronyms—and it’s not easy to keep it all straight.
This blog breaks down two of the most-commonly mistaken and misused concepts: enterprise risk management (ERM) and vendor management.
Let’s start with basic definitions:
Enterprise risk management (ERM): Enterprise risk management is a system for managing risk holistically throughout a financial institution to create value.
Vendor management (also known as Third-Party Risk Management): Vendor management is the process of overseeing third-party vendor and fintech relationships to reduce the risk these relationships.
Read also: What is a Third Party?
No, ERM and vendor management aren’t the same thing.
ERM is about identifying, assessing, mitigating, measuring, monitoring, and communicating risk. It’s a broad umbrella that addresses a full spectrum of risk including:
ERM is more than fending off risks as they emerge. It’s implementing controls, including policies and procedures, to ensure appropriate risk management is addressed at all levels—from strategic planning to daily operations. It touches every department, looking at risk as a series of “what ifs” to determine how an institution can prevent that “what if” from becoming an eventuality.
ERM is a team sport. Success depends on every player (or in this case, every department, function, or business line) contributing their knowledge and skills. While each one has a specific role and set of duties, no one operates on an island. They all must depend on each other.
The chart below is an oversimplification of ERM, but it gets the point across. You can see how ERM recognizes the connections between different elements of risk management and how they overlap. One of those pieces is vendor management.
Related blog post: ERM: Making the Connection
Every time a financial institution works with a third-party vendor, partner or fintech, it introduces the potential risk. That’s because regulatory agencies (and the public) don’t differentiate between a financial institution and a vendor it hires to provide a product or service. If a vendor makes a mistake, it reflects poorly on the financial institution—and can end up costing it thousands, or even millions of dollars.
These risks include:
Download our whitepaper: The Top 10 Risks Vendors Pose to your Financial Institution
Some people confuse ERM and vendor management because—like ERM— vendor management requires addressing several kinds of risk. These include many of the same risks from the chart above.
However, vendor management only looks at these risks from the point of view of the vendor relationship. It assesses a vendors’ cyber controls and disaster recovery plans—not those of your institution. It looks at how vendors keep up with and comply with regulatory change. It doesn’t take stock of your own compliance management system (CMS). It reviews consumer complaints about vendors, not your institution at large.
An ERM solution is no substitution for a vendor management program. While they are both focused on risk, vendor management is focused on the vendor management lifecycle. This includes:
Related: Due Diligence Documentation: 9 Common Mistakes
While vendor management includes elements of ERM (such as risk assessments, monitoring, and reporting), a vendor management program is more specialized. It includes functions such as:
Contract management. Contract management is the process a financial institution uses to organize and oversee third-party vendor contracts and agreements. A good contract management system creates value by ensuring contracts are accessible, tracking key dates, and making it easy to identify important contract terms, including cost and performance expectations.
Vendor risk assessments. Different vendors require different levels of due diligence depending on the access to sensitive data and potential for having a material impact on your institution. Vendor risk assessments help identify critical (or high risk or tier 1) vendors that require enhanced due diligence.
Vendor onboarding. Long before a new vendor joins the fold, there needs to be discussions about why outsourcing is needed and what a good vendor looks like. Vendor management requires a step-by-step process for vendor onboarding.
Due diligence document collection and analyses. Vendor management requires collecting and reviewing vast amounts of due diligence documentation. A good vendor management program has the tools to ensure all the necessary documents are collected and can provide help analyzing pages of legalese to understand what they all mean.
ERM is not just about managing risk. It’s about applying the knowledge gained through good risk management to make better strategic decisions and more effectively reach goals and objectives.
Vendor management provides insights that feed into an institution’s overall ERM program by helping the institution identify, assess, manage, and mitigate the risk posed by third-party vendors, partners and fintechs. It’s one essential piece in the ERM puzzle.