The challenge with lifecycles is that they are on constant repeat. As soon as they are finished, it’s time to begin anew.
This holds true for vendor management—with an added catch. Not only do vendor managers oversee a never-ending cycle—they are managing a separate cycle for every single vendor. Like a plate spinner at a circus, they are constantly switching focus to ensure the cycle is moving forward for every vendor and ensuring vendor risk is in line with the institution’s risk tolerance.
It can be an overwhelming job, but there are ways to ease the vendor management workload. From investing some upfront effort into vendor management to knowing which of your activities deliver the most value to the institution, here are the most effective ways to reduce your vendor management workload while still ensuring your vendors are properly managed.
- Remember not every vendor requires the same attention. Your financial institution may have hundreds of vendors, but not every vendor requires the same level of scrutiny. Invest the time to risk assess your vendors and identify critical vendors that:
- Could have a material impact on your institution’s financial condition,
- Are critical to ongoing operations,
- Have access to sensitive customer information, or
- Pose a material compliance risk.
These are the vendors that you’ll want to focus on when it comes to due diligence and monitoring to ensure information security, business continuity, and compliance with state and federal regulations, among other key issues. Companies that provide you with office supplies, landscaping services, and other low-risk businesses require much less attention than core providers, fintech partners, and marketing companies that could pose a compliance risk.
- Create an organized vendor management program. Don’t reinvent the vendor management process every time a new third-party vendor joins your ranks. Make sure your institution has a vendor management program that addresses every step in the vendor management lifecycle—from assessing the business case for outsourcing to vendor due diligence, contract negotiation, and monitoring.
This shouldn’t be a process that just lives on your computer. It needs to be centralized and instilled in the processes of every business line and department involved in selecting and managing vendor relationships. While it takes time to implement a system and train everyone to follow it, it is a huge time and money saver down the road. It helps avoid:
- Last-minute vendor reviews. Ever see a contract or get word of a new vendor only to discover that no one has done due diligence? You end up scrambling to do the research only to discover that there are some serious questions about the vendor’s reputation and now there’s a rush to find a new vendor. If you’d been included at the beginning of the process, you could have saved everyone time and enabled a much smoother process.
- Duplicate vendors. Different business lines or branches might have two vendors providing identical services. Your institution ends up paying for the same work twice, and you end up dealing with the headache of which vendor to keep.
- Signing contracts with vendors that don’t align with the institution’s long-term goals. When there is no vendor management process, vendors are added on an ad hoc basis without an eye towards long-term strategy. When the institution wants to add a new product or service, it may discover that the vendor it has a long-term contract with can’t support those plans. Untangling that mess will be a heavy lift.
- Optimize vendor management policies and procedures. Are you working in the most efficient way? Are you getting all the information you need to make good vendor assessments? Review your vendor management policies and procedures to understand how they align with your institution’s risk appetite and any other existing risk management practices and programs. You may find that other departments are doing work you can leverage.
- Outsource work that doesn’t require your specialized knowledge. When it comes to vendor management, you know your institution’s risk tolerance and strategic goals. You’re in the best position to monitor vendors to understand and report on the risk they pose.
To make sure you have time to dedicate to this important task, it can be helpful to outsource work that requires specialized legal knowledge but doesn’t require a nuanced understanding of your institution’s internal circumstances. For example, collecting and reviewing vendor due diligence contracts is time-consuming, involving plenty of back and forth and intensive reading. Letting someone else collect and summarize these documents can give you more time for interpreting what the results mean to your institution. Similarly, third-party cyber monitoring can give you real-time information on third-party vendor cyber controls, including actionable alerts telling you what to do if a problem is detected.
Another time-saver is outsourcing contract review. Contracts are long and surprisingly complex. Unless you have years of experience, it can be difficult to locate every significant provision. Instead of sorting through byzantine agreements, it’s often easier to have a professional review contracts for key costs and controls, including autorenewals. This makes it easier to track dates and allows you to focus on ensuring the vendor is living up to its agreement.
- Automate wherever possible. Do you find yourself frequently asking and following up with vendor relationship owners to conduct assessments and provide information? Do you often look up dates to make sure you don’t accidentally miss an auto-renewal? Do you spend a lot of time creating reports?
Consider adopting a vendor management solution that can help minimize these administrative tasks with automated alerts, notifications, and report generation capabilities. It will free up time to focus on big picture issues like understanding vendor risk.
Michael Berman is Founder & CEO of Ncontracts, the leading provider of integrated risk management and lending compliance solutions for the financial services industry.