Vendor management: Consistency is key
Take a structured approach to risk analysis, including a process for ongoing reviews.
Taking an informal approach to managing the risk embedded in every vendor relationship can prove costly.
Kristen Olsen, sales engineer for Quantivate, advises credit unions to avoid potential financial and reputational costs by creating a formalized, consistent vendor management program. While that can sound daunting, she says credit unions can start by taking simple steps toward a formal program that effectively manages vendor risk.
“First, look internally at processes you like or don’t like, see if you can improve them, and see if there are subject matter experts internally who can help,” she says. “There are simple ways to formalize your program, and progress is really everything.”
Olsen defines vendor management as identifying, managing, and reducing risks related to third parties and their services. Those risks can range from down time in critical services, such as online banking, to exposing the credit union to potential security breaches through lax remote work policies and downstream risks from the third party’s vendors, also known as fourth parties.
The vendor management policy is a critical starting point for addressing these risks, Olsen notes. This policy should include:
- Vendor definition and risk classification to determine how important a vendor is to your organization.
- A structured process for risk analysis, including both the vendor’s initial status and the process for ongoing reviews.
- Ongoing due diligence, which requires collecting documentation on the vendor’s performance—as an organization and as a service provider—and compliance with sound risk management practices. The vendor’s criticality rating determines the level of due diligence required.
Next, credit unions should construct internal processes that centralize data collection and create consistency in managing relationships. This includes regularly reviewing whether vendors are meeting service-level agreements set by the original contract and whether the vendor’s performance impacts employee satisfaction, which can have a big impact in a tight labor market.
If your credit union is unhappy with a vendor’s performance, it’s essential to stay on top of contract renewal dates so you can search for alternatives and cancel contracts when needed. One organization that failed to monitor renewal dates ended up paying the “huge cost” of having two vendors for the same service for a year, Olsen says.
“Having an automatic notification that emails or texts you to look at contracts can be a game changer,” she notes.
Technology solutions from Quantivate and other vendors typically notify staff when contracts are up for renewal, centralize data collection, provide a history of vendor interactions, and document regulatory compliance.
Vendor management trendsOlsen highlights two pressing vendor risk areas for credit unions:
- Cybersecurity, which includes understanding vendors’ policies for cybersecurity and data protection, as well as identifying and addressing gaps.
- Financial concerns, which require staying on top of each vendor’s financial health.
Olsen says credit unions are moving away from treating vendor management as an operational silo and/or relying on manual processes that differ in each department. Instead, they’re integrating vendor management with other risk management functions, such as business continuity.
This allows credit unions to remove redundancy and improve efficiency in getting a complete vendor list.
One overarching trend is that credit unions are recognizing how consistency enables effective third-party risk management.
“Consistent processes and assessment methodologies are key for vendor management, and we see very inconsistent operations,” Olsen says.
As credit unions develop or mature a formalized vendor management program, they should prioritize processes and tools that support best practices like policy management, integrated risk assessment, and centralized data management.
Consistent processes not only prevent unnecessary costs, they also prevent data silos, equipping teams to connect the dots to other risk functions for better oversight and streamlined management.