Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Vendor Management: Success Starts Upfront
January 01, 2007

Last in a three-part series on effective information technology management.

Safeguarding customer and financial institution information is an organization’s most critical responsibility—a task that becomes all the more significant when relying on vendor-provided IT systems, products, or services.

Outsourcing technology-related services can provide an institution with cost-effective expertise and enhanced services. However, outsourcing operational responsibilities doesn’t mean outsourcing accountability.

To the contrary, a financial institution must develop and maintain a comprehensive effort to govern vendor relationships. Board of directors and senior management must manage operational and reputation risk by implementing a structured and defined vendor management program.

Creating a strong framework

Before pursuing vendor relationships, an institution must first determine its philosophy regarding what services it will perform in-house versus those that are best outsourced. With these decisions, the organization can develop a vendor management policy to establish consistent guidelines for outsourced relationships.

A well-developed policy is one created and approved by an institution’s leadership and one that ensures the risks associated with outsourcing are fully understood and addressed. The policy provides guidance on risk analysis, vendor selection, and contract review. It must also be supported with assigned oversight responsibility to monitor each vendor’s risk management controls, financial condition, and contractual performance.

Selecting and directing

The broad scope of vendor management consists of two basic components: vendor selection and direct vendor management.

Selection starts with first establishing service needs and determining vendor requirements, after which an institution can identify potential vendors and perform due diligence in selecting a provider.

Through due diligence, an institution seeks to satisfy itself regarding a vendor’s competence and stability, both financially and operationally. The organization should review a vendor’s qualifications, reputation, background, and financial statements and conduct a market share analysis. Conducting reference checks with a vendor’s recent clients and with those that chose not to enter into an agreement can provide additional insights.

Well-matched strategies are also important, and an institution should determine how the vendor’s offerings align with its own products, as well as whether the vendor can meet the institution’s future needs.

Ultimately, the institution must define acceptable service level objectives and validate that the vendor can meet them. When an institution enters into negotiations, ensuring a tight contract is crucial; if it’s not in writing, it’s not in the contract.

With a relationship securely in place, the institution can begin procedures for ongoing management and service monitoring.

Ongoing oversight

Vendor management is a responsibility that lasts throughout the life of a contract. Effective monitoring requires assigning a risk management officer to be responsible for vendor relationships. It also involves an assessment that categorizes vendors based on possible risk exposures, as well as the complexity of services being outsourced.

Through a criticality assessment, the institution lists its vendors and defines relationships based on their potential impact to the institution’s reputation, earnings, service, etc. This information allows the organization to then target its ongoing monitoring efforts and resources based on the criticality and complexity of the provider’s systems, processes, or services.

For all critical vendors, the institution should also conduct a thorough annual review. Doing so allows the institution to review the vendor’s current financial statements and any annual audits and evaluate its performance and responsiveness against original service level objectives. The institution has the additional opportunity to identify problems or service interruptions it may have encountered during the previous year and evaluate the adequacy of the vendor’s resolutions.

Furthermore, the institution can review any new product offerings and assess overall market share and competition. Results of the review should be documented and summarized for the bank’s board.

Leveraging IT

Truly effective IT management maximizes technology benefits and supports a financial institution’s enterprise-wide goals and objectives. Such success requires a dynamic, consistent commitment—from planning to assessing security risks to performing active vendor management.

What’s missing from your IT management efforts? There’s no time like today to address all-around integration and ensure optimum performance!