The maturing landscape of vendor management has been ten years in the making. Take a look at how the third party risk management thought process has changed from 2007 to 2017.
Common Attitude: What is vendor management? Isn’t it just about getting the lowest price?
Vendor Interactions: Donuts on Friday.
Annual Assessments: Nope!
Risk Assessments: Look at the annual spend.
Board Involvement: How much do we spend?
Performance Management: Staff complain but we have no way to report or record the facts.
Dedicated Vendor Management Department: Unlikely.
RFP to Stimulate Competition: Unlikely.
Contract Management: Contracts are in a filing cabinet. Key dates come and go. There's lack of signing control on contracts.
Policy and Procedures In Place: Why do we need a Policy & Procedures?
Accounts Payable: Process the bill. There's little to no oversight.
CFPB: Doesn’t exist.
Common Attitude: Are we ready when the regulator comes to town? Are we doing enough?
Vendor Interactions: There are monthly performance scorecard calls and ongoing monitoring.
Annual Assessments: Huge improvement - onsite and desktop audit activity on the increase.
Risk Assessments: Review both Inherent and Residual Risk. Scope includes: financial, policy and procedures, SOC, BCP, disaster recovery and regulatory compliance.
Board Involvement: Increased interaction and have formal board acknowledgement.
Performance Management: Improved feedback loop on performance and complaint tracking to address and remediate vendor issues.
Dedicated Vendor Management Department: This is on the rise, but we still see a lot of other departments still try to shoulder vendor management in a part-time capacity.
RFP to Stimulate Competition: This depends on the size and maturity of the organization.
Contract Management: Contracts are in a filing cabinet. Key dates are logged in excel and reminders for contract expiration dates can become a burden to manage. Contracts are reviewed in closer detail with key caveats included. Streamlined contract management system and signing authority policy is in place. Pre-contract due diligence is recognized as a key practice in order to flush out potential vendors who present elevated risk to the organization.
Policy and Procedures In Place: Still room for improvement. They're readily available off the shelf. Policy and procedures are available but are a one size fits all approach. These can become a self-inflicted wound when reviewed by a regulator.
CFPB: In full force, will review vendor management practices at the department and enterprise level, and have also begun to perform vendor oversight on key vendors serving financial institutions.
It's nice to see how far we've come. We'll see how much further we can go and improve in the next ten years...better yet, it will be interesting to see what 2018 will bring.