Bank risk management is not what it used to be—it’s much more than it used to be.
Many factors not traditionally associated with the risks that banks face are now at least as important as the longstanding ones. Among these newer risks are BSA/AML, cyberrisk, model risk, and vendor management.
In a way vendor management is an amalgam of all of the elements listed above. It starts with thoughtful policies about how to rate the importance of the service that a vendor supplies, and how to assess and oversee the vendor’s qualifications and fit to perform that role.
I’m sure most banks have adopted appropriate policies and procedures by now, with perhaps an occasional “suggestion” from the regulators for enhancement. In this blog, I’d like to focus on making vendor management work in practice.
As a bank manager, that’s what you care about. As for regulators, a great program on paper won’t mean much if deficient practices are uncovered.
Good program depends on good beginning
Effective vendor management, like all other risk management efforts, starts with the right risk culture.
That means that the business manager responsible for the function accepts the benefit to be derived from a quality vendor management process. Inherent in a manager’s willingness must be a willingness to be accountable for the risks posed.
If such accountability is not yet part of the culture in your bank, it needs to be built. Accountability is the foundation for success in nearly every risk management endeavor.
Vendor management personnel have the responsibility to perform as effective partners with business managers, and to build a reputation for doing so.
Vendor management units can all too easily come to be seen as compliance-oriented taskmasters. Therefore, vendor management personnel should always:
• Help solve problems.
• Grab tasks that are easier for the vendor management unit to perform than others.
• Establish positive relationships with personnel at the vendor as well.
Put aside the red tape
Once the business manager is on board, and recognizes the value to the process, I suggest forgetting about regulations and paperwork as the first step. Doing so underscores the problem solving, value-oriented approach that keeps the business unit management team fully engaged.
This is never more important than when the bank is considering outsourcing an activity currently performed internally, or is considering a new vendor to replace an existing one.
If you become a member of the vendor management team, brief yourself on the business unit being assisted and its previously identified risks and controls. Have an open discussion with the business manager about the specific activities in question, how they are currently handled, and what the objectives are in bringing on a new vendor.
Once there is a shared understanding with the business manager and the perspective of the risk unit, the largest hurdle to an effective vendor review and approval process has been overcome. The process can then be attuned to address the risks that really matter so both the business and risk personnel can see that the process really makes a difference.
More modest effort can then be put into policy requirements that are not as important under the circumstances. In fact, this allows for a more general, flexible set of policy requirements so long as implementation is of high quality.
Proper focus meets regulatory review
The approach that I’ve outlined works well in practice and it is my experience that it is well accepted by regulators.
I know of a case in which management had only a very general risk management policy in force that did not specifically address a division of the bank acquired in a recent acquisition. During an examination of the division, the examination team rightly requested a vendor management policy for the unit.
Management had nothing but the general policy to offer. But the management team had recently added on a new vendor for one purpose and had sought, but rejected another vendor for another process. In both cases the vendor management processes observed were of high quality.
Management conceded that it did not have a fully formed policy in effect. Instead it offered up a brief memo to demonstrate that it was in fact observing high-quality vendor management practices.
In the memo, management described:
• Processes it observed.
• Risks the vendors were expected to address.
• How the business and risk units conducted the diligence efforts.
• Approvals by the appropriate risk units.
• How management reasoned to its ultimate conclusion.
It was helpful, under these less-than-ideal circumstances, that one vendor was accepted and one was rejected. Each vendor was of high quality, and the one that was accepted was fully equipped to fulfill its role.
For the other vendor, management and the risk function—working together—had identified a key risk issue in the process management that wanted fulfilled. After a full diligence effort and detailed negotiations, it was determined the vendor under consideration could not provide the necessary comfort, and the parties agreed that the arrangement would not work.
The regulator found all this acceptable and issued a report with no exceptions regarding vendor management.
Take the right lesson here
This episode does not promote the idea that fully documented policies on the very important topic of vendor management are not necessary.
Instead, I’ve told this story to depict how effective vendor management can promote bank safety and soundness in a practical manner that in fact satisfy bank management first.
When well executed and depicted, it can go a long way to satisfy regulators as well.