Vendors—we all need them! Vendor Management is Key to Staying in Business – Any Business! Vendor Management has become a regulatory hot button for community bank and credit union regulators. But vendor management applies to any business—for profit or nonprofit, private or public organizations, up to the government. Every company utilizes vendors in order to fulfill their mission as an organization and provide their clients what they need. This is because no one can work alone and not depend on anyone else and not one person or company can do it all. We all depend on each other to survive—locally and globally.

Vendors have the huge responsibility to provide their clients what they promised—to deliver on their brand. Each company also has the responsibility to vet and do their due diligence on each vendor they partner with. Every function a company outsources to a vendor is a key factor in the overall success of that company. Therefore, each vendor has to be chosen carefully.

In community banking and credit unions, vendor management is part of the IT security program, which in turn is part of the enterprise risk management (ERM) program. At the same time, ERM should be integrated into the bank’s overall strategic plan. Banks need to have strategies to mitigate all the risks that come from every area and vendor management is one of them. In today’s business environment, however, every company (regardless of what they do) needs to have a vendor management program in place.

The simplest way to establish a vendor management program is to start with a vendor risk assessment. Below are three key components of a vendor risk assessment:

Criticality of vendor to the organization: How critical is this vendor to your operations? Can they be easily replaced? Risk rate each vendor 1 to 5, where 5 is the most critical vendor. Example: your core system vendor is a level 5 in criticality because a community bank or credit union cannot run without it. Your shredding company, on the other hand, is a level 1 in criticality because they can easily be replaced.

Confidentiality of information: What type of data does this vendor have access to (public, non-public or confidential)? What are the consequences if the information they have gets out? Your core system is a level 5 in confidentiality because they have access to all your customer confidential data. Your shredding company is also a level 5 in confidentiality because they have access to hard copy customer confidential data.

Threat/Vulnerability of vendor: Is this vendor financially stable? What are the chances of this vendor existing in the future? If not, do you have a backup vendor to perform this function? The best example I have here is the accounts payable vendor we used at one of my previous employers. The company suffered an irreparable computer system crash to the point of shutting down the company! They gave us 30 days to figure out how we would pay our bills. Thankfully, we did have a backup company and switched all our vendors/bills to them. However, the pain we went through could have been avoided if we knew this company’s financial state and their disaster recovery plan (or lack of, in this case).

Once you complete a vendor risk assessment, the next steps are to establish mitigating factors, recognizing the residual risk of each vendor, and have a backup plan for each one. The Board of Directors should approve your vendor management program as part of the overall IT security program and ERM and it should be documented in the board meeting minutes. This shows the regulators and auditors you are serious about knowing your vendors and are aware of the risks each vendor poses to your organization. Do not wait until you have a vendor crisis or worse, until your data is out and you face a huge reputation risk. Having a solid vendor management program is key to the success of a community bank or credit union—or any business!

This pandemic is a new type of disaster that I’ve never lived through and we are ALL (the entire world!) in this together. Pandemics and enterprise risk management go together and by now you have activated your Pandemic Plan at your financial institution and you’re testing it with healthy employees working from home. But the real test is when employees get sick and cannot work at all—for weeks! Are you ready for that scenario? That’s what the Business Continuity Management is all about.

The Pandemic Plan is part of your Disaster Recovery Plan first: A disaster occurs (in this case, the Coronavirus pandemic is real). How will you recover from it when it’s done running its course? Then the Business Continuity Plan kicks in. How are you going to indefinitely conduct business in the “new norm”?

This pandemic is a perfect example on how ALL risks are interrelated and how one affects another. Let’s examine all the risks individually and how the pandemic of the Coronavirus that produces the COVID-19 disease has already affected or could affect each risk:

Human Resources: People first! The HR risk is one of the highest risks you will encounter in this crisis due to several reasons: 1) You may not have the people to replace key talent if they are sick and away from the office for several weeks. 2) Maintaining the morale of the employees high at times like these requires strategic leadership. 3) You may encounter legal issues if you don’t handle the PTO, sick time, or FMLA correctly and wisely. Ensure your employee manual has clear leave of absence policies. Be ready to make exceptions that are fair across the board even though the exceptions may not be the same for each employee. Handle people with care and compassion. Be emotionally prepared in the terrible event you do lose an employee to death due to the virus.

Technology: Beware of a rise in cybercrime! Cyber criminals are also working from home 24 hours a day trying to exploit every opportunity they can. And this situation is no exception. They are sending email schemes with malicious links to steal yours and your customers’ sensitive data. DO NOT click on anything from anybody unless it’s a reputable source and you confirm the links are legitimate. They are also working on Business Email Compromise (BEC) schemes so please put your employees on high alert!

Liquidity: Financial Institutions can have liquidity risk in good times (when everything is going well, companies are expanding operations and drawing on their credit facilities) and mostly during bad times as we are experiencing these days. Companies are drawing all their lines of credit available and hoarding the cash to survive the next several months. Make sure you have your Liquidity Contingency Funding Plan up to date, that you update your test scenarios, and test all your liquidity sources. Preparing an unfunded commitments report gives you an indication of potential liquidity issues if you don’t have enough to fund the existing commitments. Ensure your customers the bank is the safest place to keep their cash so they don’t rush to take it out which can also cause safety issues if they get robbed.

Interest Rate Risk: Most of the community banks I talked with at the beginning of the year were preparing for a year of “no change” on interest rates. Little did we know what was about to come! These are unprecedented times and the Fed now has lowered the rates 150 basis points in the past few days. This monumental change is causing the Net Interest Margins to compress in a way that no one anticipated. Ensure you manage your balance sheet as evenly as possible (no asset or liability sensitive at any time). Since it’s still the first quarter of the year, for some institutions it may be worth redoing your budget with the new reality.

Credit: Once businesses draw on their lines of credit up to their limits or borrow additional money from banks, they will become highly leveraged. If companies don’t recover soon, they won’t be able to pay their loans back and now you have credit risk. During this crisis, ensure you lend to qualified businesses and that you do your due diligence as usual following your loan policy. You may have to help your customers refinance, restructure debt, or defer payments, but in the end, your financial institution needs to get repaid. Otherwise, your institution will join the list of failed businesses.

Operational: Without key employees and using backup systems in place you may experience operational risk. The current level of uncertainty is a huge distraction to employees so they will most likely make more mistakes. In addition, working remotely they may not have access to all the procedures and the processes may have to be redesigned. Despite the present situation, you must ensure your processes and procedures are being followed to continue being a safe and sound institution. Ensuring your online banking and mobile platforms work without interruption will be a determining factor to gain your customers’ loyalty and trust.

Compliance / Regulatory / Legal: In an effort to help your customers, you may be tempted to take shortcuts and skip giving the proper disclosures or not following the Customer Identification Program (CIP) as you should. Beware of people who take advantage of these situations and open fraudulent accounts. Ensure your employees are following bank regulations, policies, and procedures that are in place precisely to protect the bank and your legitimate customers.

Strategic: Wrong decisions can be made during stressful times and in crisis situations. The key to make wise decisions is to plan ahead for pandemics and enterprise risk management and be ready to execute your Disaster Recovery and Pandemic Plans when the time comes. The time to plan is no longer now… that was a long time ago. Make sure the leadership of your Institution consult with the Board of Directors on key strategic decisions that will affect the future of the organization beyond the pandemic’s effects. Some of these decisions are layoffs, establishing HR policies that may become permanent, and putting off branch closures or acquisitions.

Reputation: Your reputation is on the line every minute as you navigate through the pandemic crisis. Everything you do or not do has consequences. Communication at all levels is crucial in maintaining your reputation intact. Working together as a team in every area of the institution is also key to ensure there are no areas that are overlooked. Understanding that everyone is severely distracted by the world events is another key to successfully navigating through the crisis.

Price: You may experience price risk if changes in the value of either trading portfolios or other obligations that are entered into, as part of distributing risk. You can also experience price risk from portfolios subject to daily price movements (mark to market basis), and from lending pipelines, OREO, and mortgage servicing. Ensure you are monitoring your institution’s investment portfolio closely.

Model: During a pandemic, you may need to create new reports or use different systems to produce reports. A key vendor may go out of business due to the financial consequences of the pandemic and your entire model may go away forcing you to look at other solutions at the last minute. Your vendors may not have tested their pandemic plans and now are not able to service your institution. Ensure your Vendor Management Program includes Model Validation and that it requires key vendors to have a DRP in place, tested with results showing that they are able to service your organization. You can also request financial statements from your key vendors to ensure they are financially sound.

Earnings and Capital: In the end, ALL these risks affect your earnings resulting in capital losses. The formal definition of each risk always starts by “The potential of loss of earnings and capital due to… (insert each risk).” Ensuring that you are looking at all the risks from an “enterprise-wide” perspective will help your institution survive this pandemic crisis successfully. Communication amongst all areas of the organization, working together, and ensuring your employees are safe will help you get through this pandemic crisis (as well as future incidents) in a safe and sound manner.

If you need help completing or enhancing your Financial Institution’s Enterprise Risk Management Program, we’re here to help!

If you’re looking for a great software solution for Vendor Management, Compliance, or general ERM, visit Ncontract’s website to learn about their solutions!