Bank Vendor Management: Improving Vendor Benefits, Cost & Compliance
Vendor management typically evokes thoughts of chasing down due diligence documents in time for your next exam. But this “compliance only” view of bank vendor management is missing the boat, and it’s the reason program managers have such a difficult time getting executive and business line support for their vendor management program.
It’s no surprise since the FFIEC guidelines focus only on vendor risk, and examiners are beating up banks and credit unions for what they consider inadequate risk oversight (namely poor vendor risk assessments and lack of Board oversight). Examiner checklists don’t ask whether your vendors are delivering the benefits you expected or whether the costs are in line with your expectations, but this is exactly what your CEOs and other executives care about. And so should program managers.
We define vendor management more broadly than the FFIEC guidelines. It’s the discipline of establishing vendor cost, benefit and risk management goals AND selecting and managing vendors to consistently meet those goals. So it’s important to consider all three legs of the vendor management stool.
Vendor costs. Banks typically do a pretty good job of identifying vendor costs before making a purchase, though there’s room for improvement. The two biggest cost mistakes before the purchase are not projecting long-term costs (there’s a reason vendors only show you year 1 costs) and not negotiating for better discounts. The real problem here is ongoing cost review. Each year, especially for big ticket vendor costs like core, EFT and Internet banking, you should review your costs and see how it compares to your projections. And don’t forget to review those invoices for billing errors – they almost always favor the vendor.
Vendor benefits. Here’s where most banks fall short. They often don’t document the expected benefits of a new vendor purchase in a way that can be measured. Without setting an expectation, you’re at high risk of others setting them for you. Often, the excuse is “we can’t hard dollar justify infrastructure investments like a network upgrade” or “we don’t have any idea how many customers will sign up for mobile banking”. While projected financial benefits always make it easier to get Board approval, benefits don’t have to be purely financial. Achieve consumer loan decision in 10 minutes, add 500 mobile banking users within six months of launch, or reduce average response times at the branch to 2 seconds are all examples of measurable benefits. I’d argue that if you can’t include at least one measurable benefit in your business case, you shouldn’t make the purchase.
Vendor risks. The FFIEC guidelines are pretty clear. You need to do your vendor risk assessment, do your due diligence, check references, perform a contract review, etc. That should be done before the purchase and then again on an annual basis. Unfortunately, many vendor management programs focus on the annual review and miss the pre-purchase risks. If you don’t do those risk management steps before the purchase, you run the risk of making a bad decision, you lose the leverage to address those risks in your vendor contract and you’re likely to get cited on your next exam.
Reevaluate your vendor management program to make sure it covers all three legs of the stool. It’s the only way to make a balanced business decision.