How are financial institutions handling vendor management for 2017? After surveying over one hundred people, we have good and bad news to share, data to back it up and how to make the bad news good.
Vendor Management Bad News
As we often prefer to hear the bad news first, here it is...
- Financial institutions don't dedicate enough resources towards vendor management.
95% of financial institutions have five or fewer full-time-equivalent (FTE) employees dedicated to vendor management.
14% do not have any FTEs in a vendor management role.
Only 8% of institutions reported spending more than $50,000 on vendor management per year.
41% of institutions spend less than $5,000 per year.
20% of institutions make no additional investments in vendor management.
For those institutions that have not designated a person responsible for vendor management - strongly consider creating a specific role. Without staff dedicated to vendor management, it will be nearly impossible to adequately manage the program, especially in light of heightened regulatory expectations for vendor management to be an ongoing process with appropriate resources, as mentioned in the OCC guidance.
- The majority of financial institutions have an immature vendor management program.
11% of financial institutions indicated that their program was at the lowest level of maturity.
Only 3% ranked their program as being fully mature.
85% of respondents said that their examiners expected the institution to achieve 6 out of 10 or higher on the maturity scale.
Advancing maturity requires significant work and resources. And with heightened regulatory expectations, financial institutions need to reach expected maturity quickly.
Creating and refreshing your vendor management program should be top priority. Review the program annually and on an "as needed" basis. Keeping vendor records up to date means it needs to go beyond a "one time" look and instead be managed in a "lifecycle" approach.
- There's a disconnect between where institutions are today and where they hope to be within a year.
81% of financial institutions predicted they would acheive a maturity level of 7 out of 10 or higher by 2017.
16% of financial institutions said they received no comments or needed improvement in their vendor management practices.
Improving vendor management is typically a multi-year process, even for those that outsource vendor management. It's important to make sure you put in the work and resources needed.
With increased regulation, vendor management programs could always use improvements.
- There's major lack of board and senior level sponsorship for the vendor management program.
81% of financial institutions report that it is very difficult (23%) to garner business unit support for vendor management.
Remind your team that regulatory guidance such as OCC Bulletin 2013-29 and OCC Bulletin 2017-7 clearly states the need for board and senior level involvement.
Senior management and board support is needed. Unless the financial institution receives the support of the rest of the institution, it will be more difficult to create and maintain a vendor management program that will meet regulatory muster and mitigate third party risk.
One strategy to improve sponsorship is to involve senior management and board in establishing third party risk management as an independent function reporting to the audit or risk committee.
Create meaningful board level reporting and capture those results in minutes of senior management meetings.
Vendor Management Good News
Now let's take a look at positives within the industry.
- Many financial institutions have centralized their vendor management or use a hybrid centralized-decentralized model.
53% of financial institutions have a centralized approach to vendor management.
30% of financial institutions have a hybrid model.
We recommend that institutions centralize vendor management and have it as an independent function that reports not to a line of business but the institution's risk committee or even its board.
A centralized function allows for the greatest level of control, more consistent practices and more focused attention.
- Many financial institutions' vendor management reports to the institution's risk committee or compliance function.
In 45% of financial institutions, vendor management reports to the institution's risk committtee or compliance function.
This reporting structure firmly establishes vendor management as part of the institution's control function with presumed authority equivalent to that of any other part of the institution.
- Financial institutions are doing a very good job with standardizing vendor onboarding and conducting annual reviews of their vendor management programs. And exams have gone well.
78% of financial institutions require a risk assessment for all new third parties prior to executing a contract.
78% of financial insitutions have updated their third party program in the past year.
4 out of 10 institutions say their last exam was without incident.
Those institutions using tools of a vendor management partner are more likely to find that their program meets requirements.
- More financial institutions are using automated solutions to manage vendor management.
Only 21% of financial institutions rely on Excel spreadsheets and Outlook reminders to manage their vendor management program.
It is becoming increasingly difficult - and nearly impossible - to manage third parties and keep up-to-date with regulatory changes using spreadsheets and calendar reminders. As regulations change, insitutions using less automated solutions may literally need to update hundreds of individual spreadsheets. Not only is that inefficient and time consuming, but also subject to human error.
Learn more about the state of vendor management in 2017 study and results. Download the whitepaper.