Bankers have been evaluating, selecting, contracting, partnering and un-partnering with third parties as a matter of normal course of business at least since the beginning of modern banking. Getting the “best deal” at contract time should not be the only objective. Making sure your institution gets the right contractual provisions can save you trouble and money in the long run.
All bankers are familiar with the basic risk management process – identify, assess, mitigate and monitor. Apply that process to working with vendors and you have a good start to an oversight program. While vendor cost and capabilities are crucial factors, they are not the only factors when evaluating and selecting a partner.
Outsourcing risk includes:
Operational – risk of improper or incorrect service; data information security or loss; technology or service disruption; or intellectual property infringement.
Strategic – ability to execute strategies through availability of products and services; ability for vendor to keep current with the market; prohibitive vendor service costs; or lack of control over resources.
Financial – locking in pricing for the agreed upon services; managing inflationary terms typical to such agreements; and being aware of contract relationship changes and termination provisions which can have large financial ramifications.
Regulatory – vendor agreements are subject to the FFIEC IT Examination Handbook, Interagency Guidance on Risk Management of Outsourced Technology Services and Interagency Guidelines Establishing Standards for Safety and Soundness.
Compliance – Gramm-Leach-Bliley “Safeguards Rule” and state data security laws, each institution must exercise appropriate due diligence when selecting its vendors; require its vendors by contract to implement appropriate measures as required by law; and set up ongoing vendor monitoring.
A proper risk assessment process allows bank management the opportunity to more thoroughly identify and consider threats to the bank’s business before entering into long term vendor relationships. An in-depth vendor due diligence process will greatly enhance your risk assessment process.
Due diligence regarding a potential vendor relationship includes fully understanding and assessing the type of relationship being considered. Some points to consider:
- Vendors may be new companies to the business/industry/service area
- Niche providers and specialization often results in needing multiple vendor relationships
- What are the ramifications to your business if the vendor is not able to deliver as promised
- Who owns the vendor and what type of ownership exists
Assessing The Risk
In assessing the ability of potential vendors to meet your business requirements, we recommend using tools for evaluating vendor responses against your requirements and criteria. This requires documenting your requirements and mapping the vendor’s abilities to meet those requirements.
This will also help you assess risks involved with moving to a potential vendor. Beyond system requirements, information should also be obtained so that you may assess transparency of vendor internal controls, vendor’s capabilities and constraints, as well as vendor’s financial condition and trends.
The contract with the vendor is your principal risk mitigation tool. Before a contract is signed it should be thoroughly reviewed to make sure contractual provisions are included to help your institution manage risk in most every conceivable business situation. At a minimum, your vendor agreements should include:
- Service Level Agreements for performance
- Defined term and end of term responsibilities
- Ownership and access to your data and information
- Confidentiality, privacy and data security
- Disaster Recovery and Business Resumption
- Deconversion terms, requirements and costs
- Implementation milestones
- Third party reviews and audit rights
- Early termination conditions, costs and responsibilities
If you find your time is constrained and you are unable to perform proper due diligence and risk mitigation, you may want to consider the help of experienced professionals to guide you through, or take responsibility for this process. An experienced professional will have the tools and experience to work through the process while you continue to run your bank.
Once your new vendor is in place you’ll want to continue with ongoing oversight and monitoring to make sure that the terms of your contract are met, and the product or service continues to meet your needs. Build your ongoing oversight program from the due diligence done prior to the execution of the agreement.
Assign a bank officer to the vendor who will be responsible for documenting performance issues, hold regular meetings with the vendor account manager and report regularly to the appropriate senior officer. Additionally, the vendor should be incorporated into your overall vendor management program which should include a regular review of their third party audits, financial statements and performance against service level agreements.
And remember, don’t get caught without enough time to fully negotiate and discuss issues with your vendor prior to contract renewal. Plan to evaluate your vendor relationship well ahead of expiration so that you leave time to negotiate new terms, or consider other vendors, and possibly even change systems, if you are not happy.