(270) 506-5140 CONTACT US

Top Vendor Management Challenges and How to Overcome Them

May 23, 2018 by Venminder Experts

Earlier this year, Venminder released our annual State of Third Party Risk Managementsurvey results. Venminder distributed the survey in mid-November and collected responses through early December to an unfiltered group of clients and non-clients. We also used social media to reach an even wider swath of companies.

Of those reporting an asset size, 51% of respondents are from companies with less than $1 billion in assets. It bears noting that 8% of responders are from companies with more than $10 billion in assets. 41% of respondents fall into the grouping of companies with $1 billion to $10 billion assets. The results represent a wide variety of banks, credit unions, bank holding companies, non-bank lenders and companies self-identifying as “other” throughout the U.S. You can reference the survey results here.

An Overview of the Biggest Vendor Management Challenges

It’s not surprising that the biggest vendor management challenge can vary depending on the company type and size. When surveyed, we found for small and mid-sized companies that the number one challenge seems to be collecting documentation. For larger companies, the number one challenge is completing vendor risk assessments.

Intuitively, this makes sense since small and mid-sized companies lack the muscle to force vendors to supply documents whereas large companies can parry their buying power to push the issue. It’s also difficult for smaller companies to possess the internal expertise to analyze complicated SOC reports or to allocate time and money to automate the process. Still, completing a risk assessment in a large company is a herculean task that requires tracking down the right experts within the organization and then convincing them to complete their portion of the risk assessment.

Top 3 Challenges at Companies

Less than $1 billion in assets:

  1. Getting the right documentation from vendors
  2. Analyzing SOC reports
  3. Automating the process

$1 billion to $10 billion in assets:

  1. Getting the right documentation from vendors
  2. Completing risk assessments
  3. Managing contracts and negotiations

Above $10 billion in assets:

  1. Completing risk assessments
  2. Having the right internal resources
  3. Awareness of your vendor’s cybersecurity

The Next Biggest Hurdle

Not surprisingly, companies already foresee additional hurdles to overcome in the future. When asked what the next biggest hurdle is, we found that for smaller companies it’s cybersecurity assessments of third parties and both mid-size and larger companies anticipate that fourth party assessments will be a challenge.

9 Recommendations to Overcome These Challenges

Our recommendations for overcoming challenges are similar to years past, but we’ve found if these standards are implemented, it can help streamline the process and make your vendor management program more efficient. Here are 9:

  1. Make creating and refreshing a vendor management program a top priority, especially if your company has not created a program or you recognize the program requires more robust and mature practices. It’s always a good idea to perform a review of the vendor management program annually and as needed.

  2. Consider creating a specific role and designating a person responsible for vendor management if you have not already done so. This will greatly assist with adequately managing the program. With the heighted regulatory expectations in place, it’s important to approach vendor risk management as an ongoing process with dedicated resources.

  3. The person responsible for vendor management should report to the risk committee, compliance or some function outside the business units. This sets the tone for unbiased views and opinions.

  4. Stop relying on homegrown Excel spreadsheets. Implement a dedicated third party risk management solution. This will ultimately save you time as the regulatory environment changes quickly and making changes to hundreds of spreadsheets can be a tedious task.

  5. Examine your resources, including budget. Is the amount devoted to the vendor management program adequate?

  6. Continue to centralize vendor management with a hybrid approach. A fully decentralized program can lead to tasks being overlooked, contractual relationships being entered into that wouldn’t have been approved with a centralized/hybrid program and all-around chaos.

  7. Board and senior management involvement is a regulatory requirement reinforced in OCC Bulletins 2017-7 and 2017-21. Make creating meaningful board-level reporting and capturing senior management meetings minutes a priority.

  8. With the intense focus on cybersecurity and increased expectations around managing fourth parties, focus on creating a strong working relationship between vendor management and information security.

  9. Finally, vendor management should be more than a “check the box” compliance activity that keeps your company out of regulatory hot water. Having a “check the box” mentality can leave room for error. Done well, a third party risk management program can help a company better understand its risk and take steps to mitigate that risk. It can facilitate close partnerships with vendors, increase vendor performance and lower costs. Vendor management isn’t just a regulatory requirement; it creates a strategic business advantage.

You’re not alone, everyone has some sort of vendor risk management challenge. And the good news is that there are ways to overcome those, and we can help if needed. Check out our due diligence samples to see how we can help.

Download Free Venminder Due Diligence Document Samples

Venminder Experts

Written by Venminder Experts

Venminder has a team of third party risk experts who provide advice, analysis and services to thousands of individuals in the financial services industry.

Follow Venminder Experts

Subscribe to the Venminder Blog