Anywhere your company is spending money for a product or service, well, that’s a vendor of some sort. As part of your vendor management, you need to start by knowing who exactly your vendors are.
A best demonstrated practice is to periodically have your accounts payable area produce a list of all payments made… which means you’ll have thousands of records...!
Fortunately, only a small number from the list will require full oversight and due diligence once you weed out the single use and/or no-risk suppliers.
Let's walk you through some helpful steps that can help guide you as you continue to create and manage your list...
And side note, the information below is intended to supplement a fully documented vendor management policy and program.
Creating Your Vendor List
1. Establish a threshold for vendors to be reviewed. This can be determined by setting a targeted expenditure amount (e.g., all payments made to a service provider over $50,000 on a quarterly basis)
2. Request from Accounts Payable a report detailing all expenditures over the threshold amount to include the name of the service provider, the frequency of spend and the amount of spend
3. Review the list, often received in Excel or a custom query format, for accuracy
4. Determine which items should be removed; typically, there are certain expenses that may not actually be forward-looking recurring expenses but anomalies or discontinued service providers which can be removed from the list
5. Determine any vendors that should be removed if they are mandates by the board or audit committee (e.g., a consultant hired to do a board level recommendation)
6. Communicate to the senior management team the need for a detailed review of the list to determine which ones are going to continue to be used
7. Once finalized, this will often pare the Accounts Payable list by 2/3 or more into a list of vendors who need to be actively managed from a risk standpoint
8. Once finalized, present to senior management or risk committee for approval
9. Compare the list to the documented scope in the policy statement and adjust the scope if needed and get approved by the board
Now, repeat the entire process at least twice a year!
Managing Your Vendor List
13 points to help guide you as you manage your vendor list...
1. Once the final list is determined and approved, the basic list itself should be stored electronically for easy review and examination purposes
2. Ideally, as new vendors are planned to be added, the business unit follows a formal process to have them added based on a process described in the vendor management program document
3. The vendors that are to be actively managed need to risk rated. Consider first if they are a “critical vendor” by asking if a sudden loss of the vendor would cause a material disruption to the business, if the disruption would impact the institution’s customers, or if the return to normal operations would take greater than a business day. If the answer to any of these is “yes”, then they are a critical vendor.
4. Next, consider any possible categories of risk (e.g., but not limited to, Operational Risk, Transaction Risk, Financial Risk, Compliance Risk, Strategic Risk, Reputational Risk, Expense Risk)
5. Ideally, an objective questionnaire should be applied for each category of risk to arrive at an inherent risk rating for each category and aggregated to a total risk score. These objective questionnaires are typically available through such sources as Shared Assessments SIG or SIG lite or in a scorecard prepared by subject matter experts in the institution, yielding a rating such as high, medium or low for each category
6. Once this inherent risk assessment has been created, carefully consider what steps can be taken to reduce any areas of high or medium risk; for example, if they are a high transaction risk, perhaps set up on going transaction monitoring to quickly catch any anomalies; or if they are a high compliance risk, consider gathering a copy of their regulatory compliance policies as part of due diligence
7. Once these controls are in place, review and determine if they more satisfactorily answer the questions; if so, their residual risk may be lower that their inherent risk
8. The result of these risk assessments and accompanying narrative should be stored
9. Typically, Excel spreadsheets or Word documents are not sufficient since they lack the ability for mass updates or for easy tracking. More sophisticated programs require a software platform specifically designed for vendor management purposes
10. The results of the risk assessment, in aggregate, should be included in reports to senior management and the board.
11. The information learned in the risk assessments should be refreshed on a regular basis, a best practice would be to do Critical or High risk vendors annually, Medium risk every other year and Low risk in advance of a contract renewal
12. The results of the risk assessment inform the depth of due diligence review or frequency and type of ongoing monitoring.
Ongoing Maintenance of your Vendor List
How do you keep the list and your process current?
1. Establish, with the assistance of the institution’s compliance or legal function, a requirement that all new potential vendors follow the documented process
2. Be prepared to report any deviations from the process to the appropriate senior management team
3. Not all vendors must go through the full risk assessment and due diligence process, as some will be determined to be one time use or materially insignificant (e.g., office supply provider, a one time use consultant). These that are readily apparent should not be added to the actively managed vendor list
4. At least twice a year, review the entire list as described above through accounts payable and involve senior management in the determination
5. At least annually, present the vendor management policy and program to the board for renewal and, if new regulatory guidance is issued, update and present for approval.
6. In advance of a vendor coming up for renewal, follow the same process as a new vendor, except bring in any sort of experience-based information that may result in either a non-renewal or a need to change relevant terms, such as required reporting or contractual provisions. Ideally this is done at least a full quarter prior to the timeframe required for notification of non-renewal.
Make sure you have the resources to accomplish all of this
This is no small workload!
Make sure your staffing and resources (internal or external) are adequate to address the number of vendors you have. And if not, it may be time to consider outsourcing the work.