MCoUSA INTERNATIONAL INC.
Profit Enhancement Specialists - Helping Bank CEO's Build Sustainable Profits
Home
Scope & Deliverables
About Us
Identifying New Profits
Benefits Received
Vendor Contracts
Pro-Active Vendor Mgmt
Out-Source Contract Mgmt
High Impact Consulting
Clients
Principals
Testimonials
Foreign Languages Site
Contact Us

Pro-Active Vendor Management

MCoUSA-Tantoo Services

A small implementation fee and a modest monthly fee.

 

Managing Vendors should be Pro-Active

Managing all Vendors, particularly IT Vendors – throughout the life cycle of the relationship, can reduce costs, improve contract terms, increase the value the bank yields from each vendor and further reduce risk.

As an example of effective vendor management, Banks are now required to make sure that vendor contracts are reviewed to insure certain vendors have Red Flag programs in place

 

Three Steps for Effective Vendor Management

The FDIC and the guidelines of the FFIEC require banks to complete a risk management review of the bank’s operations, particularly in the area of vendor management (and particularly in regard to third party service providers).  FDIC requirements dictate the bank to review the bank’s relationship with and information about each of its critical vendors that affect the bank’s risk.

1st Step:  Risk Assessment

 There are three general steps that the bank has to undertake in this process.  The first is the risk assessment. In this step the bank is required to review its vendor list and evaluate each of its vendors in terms of the risk associated in doing business with that vendor.  (This is where good contract management fits in to vendor management programs.)  The regulations lay out a number of specific kinds of risks that should be evaluated in terms of each vendor by the bank, such as reputation risk, financial risk or strategic risk.  The end result of the vendor risk assessment program should result in a grade or score for each vendor to determine which vendors are critical or high risk, which are moderate risk and which have little or no risk to the bank. 

2nd Step:  Due Diligence

The second step in the process is to assign a level of due diligence that is required to each vendor based on that vendor’s grade or score for its risk level.  The bank is then obligated to gather the required “due diligence” information to evaluate the vendor.  For a critical vendor, for example, due diligence probably means gathering information about the vendor’s financial condition, its data protection plans, its disaster recovery plans and its protection of customer information. Due diligence information should be gathered at the time the contract is being negotiated, every twelve months thereafter and again at contract renewal.  For vendors that are not high/critical risk, the level of due diligence is significantly less, probably at the time of contract signature and renewal only.   At the completion of this phase the bank should have gathered the due diligence information required to evaluate the risk for each of its critical or high-level vendors and stored that information in a place where it can be reviewed. 


3rd Step:  Review and Certification

The third step is the actual review and certification of the due diligence information to determine if the risk associated with doing business with each high/critical vendor, in light of the information gathered and reviewed, is acceptable.  If so, the information should be kept as evidence for the examiners, to show the bank has reviewed the information.  The bank should certify that the information has been reviewed and that the risk is acceptable.

  In cases where there is a high degree of risk, the risk elements should be discussed with the senior management team or board of directors and noted in minutes of the meeting.  If there is a determination that there is too much risk with the vendor, the bank should either not do business with that vendor or should do some follow up simple mitigation steps, such as more frequent review of the vendor’s information.