---

Four Steps to an Effective Vendor Management Process

By Benjamin Chisolm

Choosing a vendor to support your operations is a difficult, but important, task. Managing your vendor is equally important. Your institution can be exposed to many risks when outsourcing operational functions, as vendors are not your employees, and their priorities might not always align with those of your firm. While selecting and managing a vendor might not be easy, examiners will expect you to have a consistent and formalized vendor selection and management process in place. With that in mind, here are some of the key steps for ensuring that you have a strong vendor selection and management process:

Step 1: Develop a clear understanding of your business needs, translate those business needs into a comprehensive Request for Proposal (RFP), and conduct an appropriate assessment of the risk associated with meeting those needs by using a vendor.

Step 2: Identify a prospective vendor and conduct a due diligence review to determine (1) whether they have the knowledge, skill, and resources to meet your performance requirements and (2) whether they are financially sound, stable, and maintain an effective control environment. Use whatever external reports you have at your disposal to ensure that your analysis is accurate. This may include third-party reviews, customer references, and industry research. You could also review any audit reports and/or regulatory reports to which you may have access. Considerations should include:

• Existence and corporate history (e.g., the company's articles of incorporation, state licenses, and any other documentation utilized to create the company)
• Qualifications, backgrounds, and reputations of company principals (e.g., criminal background checks where appropriate)
• Service delivery capability, status and effectiveness
• Internal control environment, security history, and audit coverage
• Legal and regulatory compliance, including any complaints, litigation, or regulatory actions
• Insurance coverage
• Financial status, including reviews of audited financial statements

These practices are part of a robust due diligence program that thoroughly evaluates a vendor's initial proposal. But, that doesn't mean that due diligence ends with the selection of a vendor. The above information should be refreshed and evaluated on a periodic basis to identify possible changes over time.

Step 3: Once a vendor is chosen, draft a strong contract and Service Level Agreement (SLA) that explicitly defines the vendor performance requirements and recourse for nonperformance. The contract and SLA are critical aspects of the vendor selection process. It is essential that these documents provide for recourse or remedies in the event that the vendor becomes unable to perform the work required. It's also important that your operational requirements and risks are enumerated within the documents. The contract and SLA should stipulate which services the vendor is expected to perform and include agreed upon metrics that will be used to measure vendor performance. An excellent resource for information and guidance on risks associated with information technology vendors is SR letter 00-17 (Guidance on the Risk Management of Outsourced Technology Services).

In addition to other contingencies for vendor related issues (such as bankruptcies, disasters, or insurance), SLAs are considered the most important element of an operational support contract because they detail how daily services will be provided. At a minimum, an SLA should include:

• Availability and timeliness of services to be provided
• Confidentiality, integrity of proprietary data, and physical and logical security, such as encryption
• Change control and information system configuration management
• Security standards compliance, compliance testing, vulnerability management, and penetration testing
• Business continuity planning, testing, and compliance
• Customer help, problem resolution, and emergency response
• An SLA monitoring process
• Recourse for nonperformance
• An issue escalation process
• A dispute resolution process
• A termination process

Step 4: Once the vendor is in place, there must be a consistent effort to execute ongoing oversight of that vendor, based upon the risk associated with this relationship or contract. Examples of such ongoing oversight include review of the vendor's financial statements (which should be available if they are a publicly traded company), discussions with user groups, and review of SAS 70s.

Failure to maintain a robust vendor risk management program and SLA could expose your institution to compliance risk, legal risk, and reputational risk. These include risk arising from: violations of laws, rules, or regulations; noncompliance with internal policies, procedures, or the institution's business standards; failure of the vendor to maintain the privacy of customer records or to implement an appropriate information security and disclosure program; and security breaches involving customer information, among others.

Prudent banking practices mandate that every bank mitigate the risks associated with selecting and managing a vendor by having a strong vendor management process in place. Following the four steps above is a great start to help to mitigate those risks.

Benjamin Chislom is a large bank examiner with the Charlotte branch of the Federal Reserve Bank of Richmond. He can be reached at Benjamin.chisolm@rich.frb.org.