Vendor Risk Management: When It’s Done Right, It’s Never Done

By Nick Fortuna

Small banks seeking to manage risk from vendors and other third parties share something in common with a mom-and-pop retail store: They’ve got to continually take inventory.

Eric Holmquist, president of Holmquist Advisory, an enterprise risk management consulting firm, says the key for small banks seeking to better manage risk from vendors is to rank those third parties according to their level of risk and continue to perform due diligence throughout the life of the relationship.

“It’s important to maintain a comprehensive and current inventory of all third parties where you’re risk-ranking them based on the criticality of the service they provide along with the level of information that you’re exposing to them and developing an appropriate due-diligence process commensurate with the level of risk of each of the vendors,” Holmquist says.

He adds that many community banks historically have failed to stay on top of their third-party relationships, often because of a lack of manpower and resources. Small banks typically focus on two or three core vendors that pose the most risk due to the important services they provide and the personally identifiable information they have access to, he explains.

But those core vendors typically aren’t the ones that pose the biggest problems for banks, Holmquist says, because they usually are large enough to have fairly significant control infrastructures and risk management programs. The problems typically stem from second-tier vendors that are still critical to the bank but may not be big enough to have adequate risk management infrastructure in place, which creates exposure for the bank.

“I often say that if you don’t have a complete inventory of every third party that has your data, you don’t have a vendor management program,” Holmquist says. “That’s the tough-love answer. These inventory pieces sometimes are where we see the biggest problems. If you don’t have a good inventory, you’re done. The rest is meaningless.

“For an average community bank, if you’re really doing proper vendor due diligence, this could very quickly become someone’s full-time job,” he explains. “That seems very hard to believe for a lot of people, but the process of doing ongoing due diligence with a decent chunk of vendors can be very time consuming. But it’s a good thing; it’s a good practice.”

Ana Foster, a vice president and risk and compliance officer at Cambridge Trust Co., a $1.5 billion bank in Cambridge, Mass., says community banks rarely have the resources to dedicate someone solely to managing vendors. Instead, that responsibility often is handled on a part-time basis by a bank employee who has other responsibilities, such as IT.

But for small banks that can dedicate an employee solely to third-party risk management, the investment pays off, Foster says.

“The most important tool we have is a person who is dedicated to vendor management,” she says. “And that has put us in a position of having someone who can maintain the expertise on an ongoing basis and also has the time to work closely with the business side who owns the relationship and can work with the vendor or other stakeholders within the bank when necessary.

“One of the keys to success for our vendor person is that he has a technology background. He understands technology, but he also understands the banking side of it and understands that it’s not all about technology.”

Michele Sullivan, a partner at Crowe Horwath, a public accounting and consulting firm, says many small banks make the mistake of only scrutinizing a vendor at the start of the business relationship, when the bank is determining which vendor to use. Instead, banks should recognize that third-party risk management is an ongoing process that doesn’t end until the termination of a contract.

Sullivan points to the recent mortgage foreclosure crisis as proof of what can happen when banks don’t perform an ongoing evaluation of a third party’s business practices. Since 2011, banks have paid roughly $2 billion in restitution and civil penalties stemming from the noncompliant policies of third-party law firms hired by banks to handle foreclosures.

“Right from the point of initiating a third-party relationship with a vendor all the way through risk assessment, contract management, ongoing monitoring, and then through contract renewal or termination, that’s considered the lifecycle of the arrangement,” Sullivan says. “Banks need to understand third parties’ business practices and then periodically assess those key risk issues with those third parties. It’s not just a one-time assessment, it’s an ongoing process.

“The operational risk and reputational risk related to third parties can be significant, and the expectations for banks is that they’re really monitoring those activities as if they were conducting those activities themselves. Outsourcing services to a third party doesn’t relieve the banks of that responsibility.”

As part of the due-diligence process, banks should ask vendors what will happen if there is an issue such as a data breach, Sullivan explains. What is the mechanism for reporting that breach to customers, and what is their process for managing that issue?

The problem of data breaches is widespread and severe. According to a report issued last September by the Ponemon Institute, which does independent research on privacy, data protection and information security policy, 43 percent of companies have experienced a data breach in the past year, up 10 percent from the year before.

Other questions to consider include: How are the vendor’s employees trained? Are there diversity policies in place? Is the vendor hiring subcontractors to handle certain services, and if so, what mechanisms are in place to ensure that those subcontractors comply with all regulations? And in the rare case of a natural disaster, are the data properly backed up, and how long will service be down?

Banks also should insist that vendors sign a code of conduct that makes it clear that the bank expects the vendor and its employees to operate in an ethical, professional and responsible way.

For those wanting detailed guidance on dealing with vendors and other third-party relationships, Sullivan points to Office of the Comptroller of the Currency bulletins on third-party risk. Among the many topics covered in those documents is the idea that banks need an ongoing monitoring system to evaluate risk posed by third parties and vendors.

Given all the inherent risks of third-party relationships, many banks might think that bringing vital infrastructure and services such as IT in house is the right move, but there are several challenges to doing so, foremost among them the cost and the difficulty of finding top-tier talent.

“There are 6,000-plus banks, all of which are trying to get an arm around risk management and are fighting for the same talent, and there’s just not enough to go around, so there’s been a real drain on talent in this industry,” says Ryan Rasske, SVP of risk and compliance at ABA. “As the laws and regulations become more complex, and vendor risk management is a piece of that, it’s taken a toll on how many experts are available.”

Michael Edison, chief executive and founder of Fortrex Technologies, a risk management adviser that developed the VendorPoint automated third-party risk management system, says the cost benefits of outsourcing make it very unlikely that banks will bring services back in house.

“I think bringing services in-house is long gone,” he explains. “I don’t see any evidence of any banks moving in that direction, and the reason is the cost. If you look at the big vendors like Fiserv and Jack Henry and how much they’ve grown and all the acquisitions they’ve made, they’re only getting bigger.”

With third-party relationships playing such a central role for banks, Edison says banks should consider implementing an automated system to make risk management simpler. (ABA, through its Corporation for American Banking subsidiary, endorses Fortrex’s VendorPoint automated risk management program, as well as a related solution called VendSure, which provides due diligence and analysis information on vendors.)

Edison says banks should evaluate how much money and time they are spending each year to search for contracts, turn to subject-matter experts to review issues and chase down vendors for due-diligence information.

And he said banks often lose money because their contracts with vendors automatically renew months before they are set to expire, and since the managing of their third-party relationships isn’t automated, banks often aren’t aware that they’re re-signing with an underperforming vendor until it’s too late.

“Banks should take a look at those hidden costs because all of those things add up,” Edison says. “How much money did they lose because contracts auto-renewed when they shouldn’t have? Put a dollar figure on that and understand what that’s costing you, and I promise you, it’s costing them more than it would to have an automated solution that would make almost all of that disappear.”

Nick Fortuna is a freelance writer in New York.