Vendor Management

One Bank’s Approach

Agenda

• What is a Vendor Management program • What are the regulators requiring today • Developing a logical process • Assessing the appropriate risks • Rating risks • Ongoing review and due diligence • Sample System

Definition Vendor Management Program

A comprehensive vendor management program should: – Facilitate and ensure good business

practices with vendors – Understand and reduce risk – Guarantee a fair and competitive price – Dictate the appropriate level of due

diligence and subsequent reviews

FDIC Exam Procedures 1. Describe management’s vendor

management process and ongoing due diligence program – Provide a list of the bank’s key IT

vendors and consultants – Are all of these vendors covered by a

current contract?

FDIC Exam Procedures (con’t)

– How has management evaluated the vendors’ procedures for conducting employee background checks?

Examiner’s Handbook • Section 2.2 Vendor Management

– 2.2a. Does the bank have a vendor oversight program that includes analyzing SAS70 reports, financial statements and other reports on its significant vendor (s) and/or servicer (s)?

– 2.2b. Determine whether the Board, or an appropriate committee, approves new or significant changes to the service provider relationships based on a written business plan and risk analysis commensurate with the proposed/planned activity. The analysis should address the following:

Examiner’s Handbook (con’t) • Purpose and goals of the banking product offerings

within the strategic and operating plans Review of projected financial impact of third-party

arrangements Risks (definitions and acceptable levels) associated

with each outsourcing arrangement • Role of audit, compliance, and legal staff Extent of outsourcing and responsibility for managing

the service provider relationship Whether management has implemented procedures

to verify the accuracy and content of any information provided by a third-party

Current FDIC Exam

• Information Technology Examination Officer’s Questionnaire – N: Do you have a vendor management

program (Y/N)? – O: Are all of your service providers located

within the United States (Y/N)?

One Bank’s Logical Approach • Provide management with a process to

conduct due diligence analysis on existing and proposed new vendors

• Process should aide in the assessment of risk and adjust as appropriate

• Should provide for ongoing due diligence for existing vendors

• Simple enough for department managers to use

One Logical Approach (con’t)

• Process should work for all vendors, not just IT vendors

• Process must maintain details of current and past reviews

• Provide for a logical archive of associated vendor documentation

• Review reminder capability would be nice to have

Vendor Risk Assessment Workflow

Start

VendorRelated

Product orService?

Go to RiskAssessmentWorksheet inAppendix B

No

End

DoesVendor Have

Access toData?

Yes

Go to VendorRisk

Assessmentw/o DataQuestions

No

End

Yes

Go toVendor RiskAssessment

with DataQuestions

End

Step One Determine Vendor Rating

Vendor Assessment w/Data • Is the vendor actually performing accounting

services for us Critical • Does this service require the vendor to deal

directly with our customer Critical • Does the service require the vendor to have

access to confidential information Critical • Is the vendor new to the market with limited

performance record and references Critical • In the event the vendor could not perform

there few or no replacement vendors Critical

Any one or more = Critical

Vendor Assessment w/o Data • Does the vendor have minimal access to

confidential customer information Important • Is the vendor providing services or software

that is not mission critical Incidental • In the event the vendor does not perform

customers would see little or no impact Incidental

• Is the vendor providing “shrink wrapped” software that is critical to bank operations Important

• Can the services or software that the vendor provides be done through other means in the event the vendor can not perform Important

Any one or more = Important

Vendor Assessment w/o Data • In the event the vendor can not perform

are there no available replacements Important

• In the event the vendor can not perform are there available replacements Incidental

• The service provided is readily and easily available from a host of well known vendors Incidental

Vendor Rating Criteria Definition Vendor Assessment Timing and Scope

Critical Vendor assessment should be performed annually by Department Head with responsibility over the area serviced and reported to the Steering Committee

Important Limited vendor assessment should be performed annually, i.e. financials, adherence to contract terms etc. Full vendor assessment should be done every two years and reported to Steering Committee

Incidental No formal vendor assessment required. All that is required is a certificate of insurance, customer references and a contract for products or services if applicable. On going monitoring of vendor performance will dictate the degree if any of a more formal assessment Proceed to Appendix B.

Step Two Vendor Risk Assessment

Risk Assessment Procedure

1. Financial Risk H-M-L-N/A What is the level of risk of financial loss to the Bank in the event the vendor does not perform if any? What is the level of this potential loss?

Financial Risk Score Average

Risk Assessment Procedure 2. Legal Risk H-M-L-N/A What is the level of legal risk to the Bank in the event the vendor does not perform if any? What level is the potential for shareholder or customer suit? Is there the potential for regulatory suit or action?

Legal Risk Score Average

Risk Assessment Procedure

3. Compliance Risk H-M-L-N/A What is the level of risk for violation of consumer protection laws?

What is the risk these violations might include civil money penalties?

Compliance Risk Score Average Risk Categories 1-3 Total Score

Risk Assessment Procedure

4. Internal Control Risk H-M-L-N/A Is there loss of control over transactions or financial reporting resulting from the service provided by the vendor? If so, what is the level of that risk? Are there any mitigating or compensating controls that we can implement?

Internal Control Risk Score Average

Risk Assessment Procedure 5. Reputation Risk H-M-L-N/A What is the degree of chance in the event the vendor does not perform that there will be a risk to the Bank’s reputation? If so, what is the level of that risk?

Is it to isolated transactions or would it affect a broad class of customers or services? (isolated=L / broad=H)

Reputation Risk Score Average

Risk Assessment Procedure 6. Performance Risk H-M-L-N/A What is the level of risk that the vendor/service provider will not be able to or will not continue to perform the service in a satisfactory manner? What are the odds we won’t be able to work with them to address our performance concerns? To what level does the vendor/service provider rely on multiple third parties to provide the service?

Risk Assessment Procedure

6. Performance Risk (con’t) H-M-L-N/A What is the effectiveness of due diligence they use to oversee these relationships?

What is the level of criticality of these relationships to the service provided?

Performance Risk Score Average Risk Categories 4-6 Total Score

Vendor/Provider Due Diligence

1. Financial Loss 2. Compliance Risk 3. Legal Risk

If the total risk of these three risk categories is High then the due diligence process below must be done initially and ongoing every 12 months thereafter. If the total score is Medium, then the ongoing will be 24 months. If the total score is Low, then no ongoing is required.

If you are continuing here you have determined there is a medium to high level in any of the following three risk areas:

Vendor/Provider Due Diligence

4. Internal Control 5. Reputation Risk 6. Performance Risk

If the total risk of these three risk categories is High then the due diligence process below must be done initially and ongoing every 12 months thereafter. If the total score is Medium, then the ongoing will be 24 months. If the total score is Low, then no ongoing is required.

Or There is a high level of risk in any of the following three risk areas:

Step Three Due Diligence Tasks

Due Diligence Process Due Diligence Process (example) N 12 24 Request financial information (including R&D budgets)

X X X

Request proof of insurance X X X Request a reference list X Request audit reports, regulatory exams, or SAS 70 (if providing services or processing transactions)

X

Request company biographical information of principles (resumes, designations etc)

X

See handout for full list

Step Four Overall Risk Scoring

Risk Scoring Matrix Reliance on technology to the success of the product / process / function

4 3 2 1 0 Operational

Consequence of Error 4 3 2 1 0 Operational Regulatory Involvement 4 3 2 1 0 Comp/Reg Statutory Implications 4 3 2 1 0 Comp/Reg Impact upon Public Relations if non performance

4 3 2 1 0 Reputation

Degree of Judgment in Operations 4 3 2 1 0 Operational Impact Upon Management Decisions 4 3 2 1 0 Strategic Confidentiality of Data 4 3 2 1 0 Reputation Potential for Financial Loss 4 3 2 1 0 Operational Reliance on Customer Performance 4 3 2 1 0 Credit Risk TOTALS

Score Calculations Total Risk Score: Risk Classification:

High Medium Low Immaterial Definitions: 30+ 20-29 10-19 <10

4. High - The level of risk for this factor is very critical to the

product/process/function 3. Above Average - The level of risk is important to the product /

process / function 2. Average - The level of risk is moderate to the product / process

/ function 1. Below Average - The level of risk is relatively low to the product

/ process / function 0. Insignificant - The level of risk is immaterial

Mitigating Factors and Controls discuss any compensating controls in place to mitigate the identified risk

Sample System