By Benjamin Chisolm
Choosing a vendor to support your operations is a difficult, but important, task. Managing your vendor is equally important. Your institution can be exposed to many risks when outsourcing operational functions, as vendors are not your employees, and their priorities might not always align with those of your firm. While selecting and managing a vendor might not be easy, examiners will expect you to have a consistent and formalized vendor selection and management process in place. With that in mind, here are some of the key steps for ensuring that you have a strong vendor selection and management process:
Step 1: Develop a clear understanding of your business needs, translate those business needs into a comprehensive Request for Proposal (RFP), and conduct an appropriate assessment of the risk associated with meeting those needs by using a vendor.
Step 2: Identify a prospective vendor and conduct a due diligence review to determine (1) whether they have the knowledge, skill, and resources to meet your performance requirements and (2) whether they are financially sound, stable, and maintain an effective control environment. Use whatever external reports you have at your disposal to ensure that your analysis is accurate. This may include third-party reviews, customer references, and industry research. You could also review any audit reports and/or regulatory reports to which you may have access. Considerations should include:
These practices are part of a robust due diligence program that thoroughly evaluates a vendor's initial proposal. But, that doesn't mean that due diligence ends with the selection of a vendor. The above information should be refreshed and evaluated on a periodic basis to identify possible changes over time.
Step 3: Once a vendor is chosen, draft a strong contract and Service Level Agreement (SLA) that explicitly defines the vendor performance requirements and recourse for nonperformance. The contract and SLA are critical aspects of the vendor selection process. It is essential that these documents provide for recourse or remedies in the event that the vendor becomes unable to perform the work required. It's also important that your operational requirements and risks are enumerated within the documents. The contract and SLA should stipulate which services the vendor is expected to perform and include agreed upon metrics that will be used to measure vendor performance. An excellent resource for information and guidance on risks associated with information technology vendors is SR letter 00-17 (Guidance on the Risk Management of Outsourced Technology Services).
In addition to other contingencies for vendor related issues (such as bankruptcies, disasters, or insurance), SLAs are considered the most important element of an operational support contract because they detail how daily services will be provided. At a minimum, an SLA should include:
Step 4: Once the vendor is in place, there must be a consistent effort to execute ongoing oversight of that vendor, based upon the risk associated with this relationship or contract. Examples of such ongoing oversight include review of the vendor's financial statements (which should be available if they are a publicly traded company), discussions with user groups, and review of SAS 70s.
Failure to maintain a robust vendor risk management program and SLA could expose your institution to compliance risk, legal risk, and reputational risk. These include risk arising from: violations of laws, rules, or regulations; noncompliance with internal policies, procedures, or the institution's business standards; failure of the vendor to maintain the privacy of customer records or to implement an appropriate information security and disclosure program; and security breaches involving customer information, among others.
Prudent banking practices mandate that every bank mitigate the risks associated with selecting and managing a vendor by having a strong vendor management process in place. Following the four steps above is a great start to help to mitigate those risks.
Benjamin Chislom is a large bank examiner with the Charlotte branch of the Federal Reserve Bank of Richmond. He can be reached at Benjamin.firstname.lastname@example.org.
Supervision, Regulation & Credit