Third Party Vendor Management

Presented by: Jay Bowman, CISA, CISM

Director

September 22, 2011

Vendor Management

• Frequent regulatory findings:

– Lack of policy and procedures

– Risk assessment not performed

– Lack of ranking scheme

– Due diligence findings

– Vendor oversight issues

– Lack of senior management and Board oversight

1

A Few Questions

• Does your bank have a vendor management policy? A defined program?

• Is responsibility for vendors centralized?

• How many vendors does the bank rely upon for products and services?

• Are there review processes for selecting new vendors and evaluating current ones?

2

A Few Questions

3

Finding a Starting Point…

4

Finding a Starting Point…

5

Finding a Starting Point…

6

Finding a Starting Point…

7

Finding a Starting Point…

8

Finding a Starting Point…

9

Finding a Starting Point…

10

Vendor Management Topics

• Policy

• Responsibility

• Risk Assessment

• Selection of New Vendors

• Oversight of Current Vendors

• Reporting

11

Vendor Management Policy

• Establishes:

– Responsibility for program activities

– Triggering thresholds or characteristics

– Risk assessment requirements

– Procedures for selecting new vendors

– Procedures for evaluating current vendors

– Reporting requirements

12

Responsibility for Vendor Management

• Chief Financial Officer

• Chief Information Officer

• Purchasing Manager

• Legal

• Shared

• Other

13

The VM policy should fix accountability & responsibility.

Risk Assessment

(pre-decision to outsource)

• Potential impact on strategic goals

• Management oversight and evaluation

• Contingency plans

• Regulatory requirements & guidance

14

Risk Assessment

• Potential impact on strategic goals:

– Most vendors will not affect goal attainment

– Factors

• Unique product or service

• Key individuals

• “Significant” portion of revenues/profits

• Reputation

15

Risk Assessment

• Management oversight

– Does Management have the competence?

– Does Management have the time?

• Contingency plans

– Do others offer this product/service?

– Can it be brought in-house?

• Regulatory guidance

– What additional requirements are imposed?16

Vendor Selection Process

• Identification of potential vendors

• Due diligence and selection

• Contract negotiation and award

17

Identification of Potential Vendors

• Trade literature

• Current vendors

• Other institutions

• Internet

• Trade association

• Other

18

Policy should lay out requirements.

Due Diligence and Selection

• Evaluation criteria

– Ranking

– Subjective vs. Objective

– Binary vs. Weighted

• Request for Proposal (RFP)

• Evaluation team

• Documentation

• Approval19

Request for Proposal (RFP)

Advantages:

• Fosters agreement on:

– Scope of services

– Selection criteria

• All vendors on “level playing field”

• Easier to reach selection decision

• Easier to defend selection decision

20

Request for Proposal (RFP)

Tips:

• Evaluation criteria:

– “Mandatory” versus “most important”

– Weighting schemes vs. subjective

• Boilerplate

• Deadline extensions

21

Contract Award & Negotiation

• Scope of Services

• Term

• Price

• Service Level Agreement (SLA)

• Key Personnel

• Termination

• Audit Rights

• Other22

Service Level Agreements

• Specific, measureable, auditable

• Scope of services

• Requirements of service quality

• Measurement of service quality

• Credits/penalties for achieving/failing performance targets

• Institution’s responsibilities

• Vendor’s responsibilities

23

Current Vendor Evaluation

Frequency and scope depend on vendor rankings and characteristics:

•Critical vendors: full scope/annually

•Important vendors: limited scope/annually

•“Commodity vendors:” may be exempt

24

Rankings Considerations

• Annual expenditures

• Processing of critical functions

• Uniqueness of product or service

• Access to customer information

• Management discretion

• Other

25

Vendor Evaluation Topics

• Financial stability

• Performance against SLAs

• Key personnel turnover

• Insurance coverage

• SAS 70/SSAE 16 (service providers)

• Disaster recovery testing & results

• Protection of customer information

26

Vendor Evaluations

Tips:

• Base evaluations on:

– Why the vendor is important

– The dimensions that carry greatest risk

• Provide for Management discretion

• Document evaluations/maintain files

27

Reporting

• Annual summary on vendor management

• Prepared by Management

• Presented to Board (or Committee)

• Covers:

– VM policy (any recommended changes)

– New critical vendors

– Summary of review of current vendors

– Other key information28

Vendor Management Framework

29

• FIL-44-2008 “Managing Third Party Risk”

• FFIEC “Risk Management of Outsourced Technology Services” November 2000

• SR 00-4(SUP) February 2000 “Outsourcing of Information and Transaction Processing”

• Institution’s ”Vendor Management Policy”

Questions and Answers

30

Contacts

31

Jay BowmanDirector, Mid-Atlantic4900 Ritter RoadSuite 222Mechanicsburg, PA 17055Phone: 484.844.7132jbowman@accumepartners.com

For more information, please contact: