Malzahn Strategic - Minneapolis, MN skyline

Do You Really Know Your Vendors?

Vendor management - Do you really know your vendors?

Do you really know your vendors? I would like to continue my posts on the topic of vendor management and how vital vendors are to the success of every organization. Through the years I have worked with many vendors of all kinds and I’ve had the opportunity to form long-lasting relationships with many of them. As a best practice and one of the strategies I used when starting a De Novo community bank back in 2005 was to obtain bids from at least two to three vendors who offered the same services so we could choose the right one. This strategy served us well and we were able to choose, almost 100% of the time, the right vendor for the product or service the institution needed.

In addition to doing due diligence with each vendor to ensure they are the right fit, to know they will exist long-term, and that they will keep your data safe, it is also important to form a good relationship with your vendors. As the CFO and COO, I worked with all the vendors, including reading and signing every contract, learning about their services, and protecting the institution at every level. I took that responsibility seriously and considered getting to know the vendors at a personal level of great importance. I worked with the sales person initially but I also got to know other key people in the company. This proved to be a great strategy for when sales reps left the company or my lead relationship manager was promoted to other positions. For example, with the financial auditors, I formed a long-term relationship with the relationship manager/partner, the lead auditor, and some of the staff auditors who visited each year to do the audit work. I did the same with the compliance auditors at a different firm, the IT auditors, and even with the State regulators.

It is also very important (and a great vendor management strategy) to diversify your vendor base. For example, I made relationships with various local accounting firms who provide services to community banks and credit unions, choosing separate firms to conduct compliance audits, IT external audits, financial audits, loan reviews, and tax return preparation. This strategy works great when it’s time to rotate firms so they don’t get too familiar with your institution. It is also a best practice for checks and balances within your community bank or credit union.

Get to know your vendors at the personal level and form long-term relationships because it will pay off.

Vendor Management is Key to Staying in Business - Any Business!

Vendor management is key to staying in business

Vendors—we all need them! Vendor Management is Key to Staying in Business – Any Business! Vendor Management has become a regulatory hot button for community bank and credit union regulators. But vendor management applies to any business—for profit or nonprofit, private or public organizations, up to the government. Every company utilizes vendors in order to fulfill their mission as an organization and provide their clients what they need. This is because no one can work alone and not depend on anyone else and not one person or company can do it all. We all depend on each other to survive—locally and globally.

Vendors have the huge responsibility to provide their clients what they promised—to deliver on their brand. Each company also has the responsibility to vet and do their due diligence on each vendor they partner with. Every function a company outsources to a vendor is a key factor in the overall success of that company. Therefore, each vendor has to be chosen carefully.

In community banking and credit unions, vendor management is part of the IT security program, which in turn is part of the enterprise risk management (ERM) program. At the same time, ERM should be integrated into the bank’s overall strategic plan. Banks need to have strategies to mitigate all the risks that come from every area and vendor management is one of them. In today’s business environment, however, every company (regardless of what they do) needs to have a vendor management program in place.

The simplest way to establish a vendor management program is to start with a vendor risk assessment. Below are three key components of a vendor risk assessment:

Criticality of vendor to the organization: How critical is this vendor to your operations? Can they be easily replaced? Risk rate each vendor 1 to 5, where 5 is the most critical vendor. Example: your core system vendor is a level 5 in criticality because a community bank or credit union cannot run without it. Your shredding company, on the other hand, is a level 1 in criticality because they can easily be replaced.

Confidentiality of information: What type of data does this vendor have access to (public, non-public or confidential)? What are the consequences if the information they have gets out? Your core system is a level 5 in confidentiality because they have access to all your customer confidential data. Your shredding company is also a level 5 in confidentiality because they have access to hard copy customer confidential data.

Threat/Vulnerability of vendor: Is this vendor financially stable? What are the chances of this vendor existing in the future? If not, do you have a backup vendor to perform this function? The best example I have here is the accounts payable vendor we used at one of my previous employers. The company suffered an irreparable computer system crash to the point of shutting down the company! They gave us 30 days to figure out how we would pay our bills. Thankfully, we did have a backup company and switched all our vendors/bills to them. However, the pain we went through could have been avoided if we knew this company’s financial state and their disaster recovery plan (or lack of, in this case).

Once you complete a vendor risk assessment, the next steps are to establish mitigating factors, recognizing the residual risk of each vendor, and have a backup plan for each one. The Board of Directors should approve your vendor management program as part of the overall IT security program and ERM and it should be documented in the board meeting minutes. This shows the regulators and auditors you are serious about knowing your vendors and are aware of the risks each vendor poses to your organization. Do not wait until you have a vendor crisis or worse, until your data is out and you face a huge reputation risk. Having a solid vendor management program is key to the success of a community bank or credit union—or any business!

Books by Marcia Malzahn