The job is big, you know you have to do it, there’s not enough of you to go around and the examiners will be there soon. What’s the answer?
It’s likely time to consider hiring a third party to assist you with getting the work done. But budgets are tight so you will have to justify the additional expense to your management and the board. Here are a few tips on how to get that budget approved and (most importantly) how to stay out of trouble with your examiner.
Let’s start here. Credit union and Bank Vendor Management is not optional. In our previous blog post, we talked about the regulatory requirements of managing vendor risk. You will need to demonstrate to your examiners that
1) you understand the risk each vendor represents to you and your customers, and
2) you have taken reasonable measures in mitigating that risk.
That requires up front and on-going due diligence. At a minimum, you must gather all the proper documentation, analyze it and report your findings. You need to document incidents, measure performance (SLA’s) as well as stay on top of regulatory changes.
Gone are the days of the rudimentary exercise of checking a few boxes, creating a couple of spreadsheets and filling out a few forms and then laying them in front of your examiner in a nice neat pile when they arrive. In today’s risk intense world, there’s much at stake...your reputation, your exam score, your customers confidential data and even the board’s liability.
The question you must ask yourself isn’t “do I do it or not”, the right question is “who is going to do it”. You have 2 choices. Do it yourself or hire someone to do it for you.
It’s cost effective
Believe it or not, once you have everyone on board in understanding the requirements, the hard part is done. Justifying the cost of hiring qualified help should be a much easier exercise. We’ll focus here on one topic and that’s the on-going vendor due diligence. You probably won’t need to go much further to get your budget dollars approved.
For your critical vendors, there is a full set of documents you should collect no less than annually such as financial statements, SOC report(s), insurance certs, BCP, cybersecurity, policies, etc. But collecting the documents is merely step one. The real work requires you to analyze, find the deficiencies (if any), compile your findings, make recommendations (if needed) and report all of this to management, the board and your examiners. There are a lot of disparate skill sets required to cover all the tasks. Use the table below to run a quick cost analysis.
If you have any resource gaps in the recommended skill sets above, the outsource cost becomes even easier to justify. In other words, if you don’t have anyone qualified to read and analyze a SOC report and/or you don’t have experienced commercial credit analysts on staff to analyze a 10-K, then outsourcing to buy a small portion of someone else’s time vs. investing in the FTE quickly becomes a no-brainer.
The same goes for trying to find a single FTE with the proper training and certifications to cover all the disciplines. Nearly impossible. And don’t discount the opportunity lost cost. For example, if you’re using your commercial credit lenders to analyze your vendors financial health, what did that cost your institution in booking the next profitable asset?
The results are better
We’ve passed through the first two gates: we understand it’s required and the cost justifies itself. What’s the bonus? The results are likely to be better than what you could accomplish on your own.
- Qualified personnel assessed the risk and gave you the answer. Now you are in a position to make educated decisions about the future of your relationship with each vendor.
- If unknown risks were uncovered and can’t be rectified by the vendor, you can replace the vendor and reduce your risk. But you must know before you can act.
- You’ve reduced the liability to your board and the risk to your customers. Not to mention your stellar reputation remains intact.
You’ve accomplished your compliance obligation and your examiners will be (very) pleased.