Fill in the blanks, or automate?

It’s a strict regulatory requirement that banks keep close tabs on all their vendors and pay particular attention to the ones that have access to confidential customer data. For many community banks, this has meant the creation and maintenance of spreadsheets that, depending on their complexity, list each vendor and rank them in degrees of risk. Such spreadsheets also can be used to rank the criticality of each vendor to the bank’s operations, giving a measure of the potential risks they may pose to the bank.

It seems simple, but as banks grow, they may engage hundreds of vendors and manage hundreds more contracts. It can be a full-time job to keep the spreadsheet squares up to date, accurate, and in accordance with changing regulations. Also, just because a particular vendor may not rank high on operational criticality, it may pose significant security risk due to its access to customer information. Then, when the person to whom this job is delegated and who set up the whole thing leaves the position, things are likely to fall through the cracks.

That’s why many banks are starting to migrate from the spreadsheet environment to an automated system. Those that have point to many positives. Once the automated system is set up, it can do everything a spreadsheet system can do and more, and—importantly—can do it better. It can help in overall contract management, provide automated alerts for upcoming contract renewals, allow for input from line-of-business managers, and keep the bank audit-ready at all times, thus forestalling the traditional week-ahead panic that the auditors are coming.

Such systems do pose challenges, particularly at the onset. First, a budget has to be made available to review, select, and install a system. It can be a four-to-six-month project to get it up and running. A system has to be customized to fit the bank, and that requires a complete examination and documentation of every contract the bank has.

Regulators weigh in

As regulators ratchet up requirements, it seems the shift to automation is inexorable. Don Saxinger, a senior examination specialist for FDIC, notes that 46% of bank IT exams in 2012 that resulted in downgrades were due to some sort of inadequate vendor management.

“From a regulatory perspective, all that we require is that you have a formal program,” he said during a recent ABA telephone briefing. “We don’t require you to use an automated tool or Excel or anything like that. ...What we are seeing is those who just have a flat Excel spreadsheet file; they are tracking risk priorities. They are tracking financial reviews and audits. So they are getting a lot of that. But what we’re also seeing is that automated applications do have some additional features, such as tying into other risk-management modules.”

Fortrex Technologies Inc. offers vendor risk-management tools designed for financial institutions. J. Michael Edison, CEO, said during the telebriefing: “A spreadsheet is viewed as something that’s free. We know that’s not the case. Somebody has to develop it, and as regulations change or guidance comes out, you have to stay on top of it and modify it. You typically don’t have multiple people using a spreadsheet simultaneously, which is why it’s a highly centralized activity. It’s not always the savings it may seem.”

“There are several questions you, as an institution, have to ask,” said Doug Johnson, vice-president of risk-management policy at ABA, who moderated the briefing. “Do you have a level of comfort with the manner in which you are tracking your vendors? Do you believe that you have a sufficient capacity, in a spreadsheet or otherwise, to be able to understand the risk associated with each vendor when contracts are up for review? If so, there’s no reason why you shouldn’t use a spreadsheet or some sort of less-sophisticated system. But I think every bank reaches a level, and this is particularly true in a community bank environment, where you have so many vendors you’re trying to manage, where that process can get basically uncontrollable.”

Processes come first

Minnesota’s Think Mutual Bank recently made the switch to an automated system. Joan Stiller, executive support manager and the project manager in charge of the months-long transition to the new system, acknowledged it required a great deal of effort. “We had to collect and inventory all of our vendors and contracts, and make sure we had the correct contact for every product we utilized. We did this for 100% of our contracts—not only for those with access to customer data.” The reason: “to look at the whole of our processes, in addition to regulatory compliance. Where could we add value beyond compliance for the bank? What we really end up with is a contract-management system, and that’s better than a spreadsheet.”

She continued: “A system can hold the documents linked into a mechanism that automatically sends notifications for renewals or terminations. It keeps a history.” As a result, vendor risk management now constitutes 20% of her responsibilities—down from 80% with the spreadsheet. The bank is always audit-ready. Line-of-business managers have direct input into the risk-rating system, although final signoff is centralized. System management is seamless as personnel shift. Unintended contract renewals are avoided, saving the bank money.

Perhaps just as important is the intangible benefit: “Overall, the process feels in control rather than overwhelming,” Stiller said.

They’re not all the same

Landy Dutton, vice-president and internal auditor, Summit Bank, Panama City, Fla., advocates automated systems, but said banks have to be careful. “Vendors don’t always understand the regulatory environment that you have to work in,” she said. “They think about criticality. They rate how critical a particular [contractor] is to our day-to-day operations. That’s one facet of risk. Another facet to risk is information-security due diligence. You might have a vendor that you share your customers’ confidential information with in order to provide an additional service to your customer, but they may not be ‘critical.’”

It’s possible that a bank may have some sort of automated management system and think it has security risk covered, but it doesn’t. “Look for software that either gives you a broad range of risk-assessment templates or which you can customize with your own questions,” Dutton said.

She agreed such systems pay for themselves eventually. “The larger you get, the more vendors and service providers you have. There’s a break-even point somewhere.”

Fortrex’s Edison listed the benefits of automated systems: Elimination of automatic contract renewal surprises; minimized exam prep time; prompt identification of where risks reside, and recommendations for mitigation strategies. Perhaps most important: Reduction of bad vendor experiences due to proper advanced due diligence.

Make it easier, not harder

Another key element: Find the right tool. “We looked at our processes and got our arms around them before we selected the automated tool,” said Stiller. The tool has to be flexible enough to handle the regulatory environment as well, Dutton noted. “If the tool comes with canned risk assessments that can’t be changed, and they sell this tool to other companies besides banks, then it has to be customized.”

Still, the point is to make things easier, not harder, noted ABA’s Johnson. “When you find yourself spending more time managing the spreadsheet than managing your vendors, that’s when you should evaluate whether a more automated system will be appropriate for you.”