Malzahn Strategic - Minneapolis, MN skyline

Vendor Management: Do You Really Know Your Vendors?

I would like to continue my post from last week on the topic of Vendor Management and how vital vendors are to the success of every organization. If you missed last week’s article, you can find it in my previous Posts: “Vendor Management is Key to Staying in Business—Any Business!” Through the years I have worked with many vendors of all kinds and I’ve had the opportunity to form long-lasting relationships with many of them. As a best practice and one of the strategies I used when starting the DeNovo bank back in 2005 was to obtain bids from at least two to three vendors who offered the same services so we could choose the right one for the bank. This strategy served us well and we were able to choose, almost 100% of the time, the right vendor for the product or service the bank needed.

In addition to doing due diligence with each vendor to ensure they are the right fit for the bank, to know they will exist long-term, and that they will keep the bank’s data safe, it is also important to form a good relationship with your vendors. As the CFO and COO of the bank, I dealt with all the vendors, which included reading and signing every contract, learning about their services, and protecting the bank at every level. I took that responsibility seriously and considered getting to know the vendors at the personal level of great importance. I dealt with the sales person initially but I also got to know other key people in the company. This proved to be a great strategy when sales reps left the company or my lead relationship manager was promoted to other positions. For example, with the financial auditors, I formed a long-term relationship with the relationship manager/partner, the lead auditor, and some of the staff auditors who came to the bank each year to do the work. I did the same with the compliance auditors at a different firm, the IT auditors, and even with the regulators for the State chartered bank.

It is also very important and a great vendor management strategy to diversify your vendor base. For example, even though I made relationships with various local accounting firms who provide similar services to banks, I chose separate firms to conduct the compliance audits, IT external audits, financial audits, loan reviews, and tax return preparation. This strategy works great when it’s time to rotate firms so they don’t get too familiar with your bank. It is also a best practice for checks and balances within the bank.

As a business owner it is extremely important that you establish professional relationships but also getting to know your vendors at the personal level. Remember they are people too. By having these relationships, you gain favor with them and grace during the hard times. You can also form partnerships when a vendor wants to roll out a new product, for example. You can be a beta test site and get their product for free or at a reduced cost for a while. They may also give you free PR when marketing their new product.

Now as a consultant myself I have reaped the rewards of having all those relationships and, in some cases, friendships. My goal is to provide my bank clients with several options of vendors who provide bank services (with no commissions or hidden agenda from my part). I simply want to be a resource to my clients so they can then choose (like I did when I started the bank) the right vendor to meet their needs. In order for me to recommend vendors to my clients, however, I need to know them and trust them that they will take good care of my clients.

So if you are a banker or business owner, get to know your vendors at the personal level and form long-term relationships because it will pay off. You will benefit from referrals from your own vendors and your clients will benefit as well when you refer vendors to them by having the opportunity to choose the right vendor to meet their specific needs.

Vendor Management is Key to Staying in Business—Any Business!

Vendors—we all need them! Vendors are a crucial component to the success of any business. Vendor Management has become a regulatory hot button for bank regulators. But vendor management applies to any business—for profit or nonprofit, private or public organizations, up to the government. Every company utilizes vendors in order to fulfill their mission as an organization and provide their clients what they need. This is because no one can work alone and not depend on anyone else and not one person or company can do it all. We all depend on each other to survive—locally and globally.

Vendors have the huge responsibility to provide their clients what they promised—to deliver on their brand. Each company also has the immense responsibility to vet and do their due diligence on each vendor they partner with. Every function a company outsources to a vendor is a key factor in the overall success of that company. Therefore, each vendor has to be chosen carefully.

In banking, Vendor Management is part of the IT Security Program, which in turn is part of the Enterprise Risk Management (ERM) Program. At the same time, ERM should be integrated into the bank’s overall Strategic Plan. Banks need to have strategies to mitigate all the risks that come from every area and Vendor Management is one of them. In today’s business environment, however, every company regardless of what they do needs to have a Vendor Management Program in place.

The simplest way to establish a Vendor Management Program is to start with a Vendor Management Risk Assessment. Below are three key components of a risk assessment:

Criticality of vendor to the organization: How critical is this vendor to your operations? Can they be easily replaced? Risk rate each vendor 1 to 5, where 5 is the most critical vendor. Example: your core system vendor is a level 5 in Criticality because a bank cannot run without it. Your shredding company, on the other hand, is a level 1 in Criticality because they can easily be replaced.

Confidentiality of information: What type of data does this vendor have access to (public, non-public or confidential)? What are the consequences if the information they have gets out? Your bank’s core system is a level 5 in Confidentiality because they have access to all your client confidential data. Your shredding company is also a level 5 in Confidentiality because they too have access to all your client confidential data on paper.

Threat/Vulnerability of vendor: Is this vendor financially stable? What are the chances of this vendor existing in the future? If not, do you have a backup vendor to perform this function? The best example I have here is the Accounts Payable vendor we used at my previous bank. The company suffered an irreparable system crash to the point of shutting down the company! They gave us 30 days to figure out how we would pay our bills. Thankfully, we did have a backup company and switched all our vendors/bills to them. However, the pain we went through could have been avoided if we knew this company’s financial state and their disaster recovery plan (or lack of, in this case).

Once you complete a risk assessment, the next steps are to establish mitigating factors, recognizing the residual risk of each vendor, and have a backup plan for each one. The Board of Directors should approve your Vendor Management Program as part of the overall IT Security Program and ERM and it should be documented in the Board meeting minutes. This shows the regulators and auditors you are serious about knowing your vendors and are aware of the risks each vendor poses to your organization. Do not wait until you have a vendor crisis or worse, until your data is out and you face a huge reputational risk. Having a solid Vendor Management Program is key to the success of a bank—or any business!

At Malzahn Strategic ( we work with banks that want to increase their profitability by improving their operational efficiencies. We focus on Strategic Planning, Enterprise Risk Management and Talent Management. Vendor Management is part of Enterprise Risk Management and we can help you establish a solid, yet simple, program. We also partner with vendor management software companies, like NContracts, to help your organization manage the Program on an ongoing basis.