Here at VendorINSIGHT® we're excited about our participation in the lineup of trade shows this year. We plan to be at several risk management and regulatory compliance conferences, including the ABA Regulatory Compliance Conference 2014 in New Orleans in June. Check back as we make special announcements and host special events for our customers and others interested in VendorINSIGHT®.

The programs and session schedules are slowly being released and we see there are quite a few sessions about vendor management. This is not a surprise. We witnessed a lot of new guidance in 2013 from the regulators. It only makes sense that everyone will need a little help sorting everything out and adding the right elements to their vendor management programs. Of course, you don't have to wait to see us at a conference or event if you need some help. We are always ready to talk and enjoy sharing our templates, checklists and insights with folks who need a little guidance in the world of vendor management! Our advice: Don't try to reinvent the wheel. We already invented it and are happy to share it with you!

Hope to hear from and see you all soon!

At the urging of examiners, many banks developed criticality rankings as a part of their early vendor management programs. These criticality ratings were confusing because, in part, they attempted to assess the degree of mission criticality of a vendor (which is really more of a business continuity planning issue) and also because they attempted to evaluate risk. Compounding the problem, many of the methods developed use scoring that is combined across the various questions, with the cumulative score, or sum, generating the criticality rating. From there, many banks then treated their "high critical" vendors as their highest risk vendors, performed the highest levels of due diligence on them and performed it at the greatest frequency, often annually. As many banks are now finding, this method is flawed in two ways. First, it blends risk and business continuity which can be dangerous, misleading, and confusing for users. This leads to inconsistency. Second, and more importantly, it never links what due diligence requirements need to be completed based on the actual risks that could exist. A vendor might score low because it is high in only one area but rated low in the other eight, thus it is a low criticality vendor. But that single risk should suggest a certain type of due diligence to mitigate it, not reduce the importance of the vendor such that it becomes viewed as low criticality - which is often interpreted as low risk. The opposite can happen too, leading to excessive due diligence for vendors that may only need a financial review or insurance review, rather than a full complement of SSAE16, information security, BCP/DR and other reviews. Finally, none of the criticality models we have ever seen have been validated. Often they were simply adopted from a template or example a peer bank provided and so the flaws and misunderstandings about criticality have been propagated across the industry. That is changing, and the change is being led by us and a limited few consultants that really understand how to make a vendor management process effective and efficient at the same time.

VendorINSIGHT® simplifies and automates the process considerably. A vendor has access to certain things like data, facilities, equipment, systems, customers, etc. that creates a propensity for risk to exist. There is also a duration and a value associated with the vendor relationship that create a propensity for risk to exist. If the vendor has great controls and those controls are validated, then those risks might be mitigated. That is why we do due diligence; to asses those controls and evaluate the residual risk that exists and put in place a monitoring plan for the vendor to ensure risk does not escalate beyond what we initially accepted. The key to classifying vendors is to first assess what relationship factors exist. Once the relationship factors have been identified, then it is easy to know exactly what due diligence is needed. VendorINSIGHT® does this through its VRP, or Vendor Relationship Profile.

For example, a technology vendor who is working on a one-time development or customization project is receiving progress payments over the 12-15 months it takes to complete the customization. One risk that exists because of the duration of the relationship is that the vendor might become insolvent or go bankrupt before the work is completed. Doing a financial review of this vendor would be a prudent due diligence step.

In VendorINSIGHT®, pre-existing rules exist to govern due diligence and automatically link vendor relationship profiles to due diligence and policy requirements. In this manner, everything is automated and users know exactly what to do and when to do it. The vendor management or risk management office also knows and can govern these activities a lot more effectively than by the traditional audits.

So, in the end, a vendor risk assessment (VRA) may or may not be completed for any given vendor depending on what the outcome of the vendor relationship profile is. A VRA is simply one element, or type, of due diligence that can be completed. Many banks - because of their paradigm about criticality ratings - improperly assume the VRA is the starting point for the vendor evaluation and needs to be completed in every case when a vendor relationship profile (VRP) should always be the first thing that is established. In a sense, the VRP is a proxy for "criticality" but in a more reliable format. It is a more logical assessment because - contrary to the flawed criticality calculators of the past - it assesses the propensity for individual types of risks to exist and it can be linked logically to individual due diligence requirements and policy requirements.

Our Program Administrator team at VendorINSIGHT® frequently fields questions from users about vendor documents. Today, they offer this insight:

Contract owners often ask what types of documents can be or should be stored in the system. The answer is simple. All kinds of vendor documents can be stored with the contract record. This can include everything from the initial evaluation documents to the termination letters. Depending on the vendor management policy, contract owners may even be required to save certain vendor documents to the system like SSAE16 reports, financials, completed information security questionnaires and other forms. The "Add Document" feature in VendorINSIGHT® is very user friendly and the Policy Control and Compliance Module (PCM) makes it very simple to associate documents with policy requirements. Sometimes customers want to track expiration dates for vendor documents, like Certificates of Insurance, in a separate spreadsheet but with VendorINSIGHT® there’s no need for this. VendorINSIGHT® can link the documents to the correct record and provide advanced email and dashboard alerting when the expiration date is approaching. The Program Administrators can even set up preliminary, or anticipatory, vendor contract records so that users can save and track evaluation, RFP and other due diligence documents even before the contract has been finalized!

The latest article in BAI Strategies predicts that for 2014,”banks are committed to reducing expenses and operating more efficiently through better use of technology, improved hiring and training practices and right-sizing business units.” While going electronic with some transactions and cutting staff will help, everyone overlooks the single biggest opportunity: the cost of vendor contracts! A financial institution’s spending on contracts with its vendors for goods and services typically makes up more than half of its noninterest expenses. Unfortunately, this article does not recognize that the value delivered by an effective vendor management program is the single best way to gain control over expenses and improve efficiency. At VendorINSIGHT our solution has embedded services like CONTRACT REVIEW SERVICES, making it much more than just a risk and compliance solution. Every day we deliver a full complement of business services that are integrated into our software. Our customers shamelessly take advantage of this to get efficiency and cost reduction! Think of it as compliance with an ROI.

As was announced earlier this week by GoDaddy web hosting services, an employee was tricked into revealing information that compromised domain name ownership. As important as it is to have adequate policies and procedures and a rigorous training program for your own employees, it is also an essential point of validation that your vendors do the same. This a real life concern for your vendors who handle transactions and Non-Public Personal Identification Information (NPPII) for your customers. Is this a question that you explore during Vendor Due Diligence and annual risk reviews? If not, give us a call and learn how VendorINSIGHT’s tools give you that ability.

Are you ready for the post Dodd-Frank direct and indirect compliance requirements? It seems that the ABA Compliance Conference on June 8-11 in New Orleans will focus on this very subject. This includes specific presentations on understanding and managing third party vendors and vendor risk. We will be there displaying VendorINSIGHT®, presenting how our solution is tailored to address expanded Vendor Management responsibilities brought forth in recent guidance.

Somebody asked us the other day what ever happened to all of the "green" or "sustainable vendor" enthusiasm that was so prevalent a couple of years ago. Good question! In most industries there has been such a fervent diligence around information security and risk - especially in the financial services industry - that the topic of sustainable sourcing and green vendors seems to have faded into the distant past. Rightfully so. When regulators have been hammering away at drafting and publishing new requirements and corporate risk managers and information security officers have been hound-dogging vendor selection and sourcing teams to do the proper due diligence, it is hard to see that there is much bandwidth to divert to sustainable sourcing. Well, we at least have some good news for you. In 2011 VendorINISIGHT implemented a paperless policy, an energy policy and extended our recycling policy to include technology, not just paper and plastics. The paperless policy had two benefits, with desks clear of paper, we provided another reason our employees could easily adhere to our information security policy that requires all confidential information to be locked up during non-business hours. It's nice when green efforts complement good business practices, in this case information security efforts, rather than conflict with them. That's not always the case as many who were engaged in sourcing and vendor management through the 2000's can tell you. More often than not, special interests get in the way of running a business efficiently and effectively

This article from Credit Union Times is concise and perhaps not as in-depth as we'd like but it does continue a trend of articles we've read over the past year that have described how the role of Risk and Compliance officers has changed dramatically. The article notes there has been a major shift from an emphasis on analysis to an emphasis on implementation. We have certainly witnessed this in the vendor risk management space in 2012 and 2013 and continue to see it as an important evolutionary success factor in 2014 and beyond.

Because vendor risk management systems automate a lot of the data analysis and reporting, this has enabled a shift of focus toward the creation of quality risk content – vendor assessment data and narrative – and the design and implementation of new workflows with accountability for everyone to complete their vendor management process tasks which contribute to this data. Vendor management is a multi-faceted process that crosses many departmental boundaries and requires strong process design, controls and implementation efforts to be successful. Without accurate and timely task completion, analysis and reporting will not be accurate.

We think this is why more and more banks are relying on us to help them complete tasks like vendor due diligence and monitoring in a high quality, timely manner, and also why they rely on us for insight about how to make sure that everything gets done accurately and on time. Good process design and experience with implementation is helpful. This strategic shift in emphasis for the risk and compliance officer and their need to be able to rely on their partnership with an expert third party risk management solution provider validates our strategic direction and makes us feel good about being able to services our customers' true business needs.

On a closing note, we were surprised to see that the average compliance cost for a financial institution rose by more than 65% in the third quarter of 2013 over 2012. That is even higher than our research which showed it at around 50%. Regardless, this is certainly a sign that financial institutions are tackling, rather than debating, the compliance and regulatory hurdles and challenges they face. As they do this, it will open up the door for regulators to continue to advance guidance that raises the bar. Those not elevating their spending are being left behind. Playing catch up can be not only difficult but a potentially dangerous strategy.

We always watch news and other white papers that are being published to gauge what topics are trending up. This white paper got our attention today mostly because the topics of BCP and DR, which were gaining momentum in 2012 but were pushed aside in 2013 as regulators chose to focus on vendor and third party risk management. The white paper really is just a simple primer, or checklist, for establishing a business continuity program. What caught our eye was the absence of commentary about Business Operations continuity. So many business operations have outsourced functions that operational business continuity is virtually synonymous with vendor business continuity. We’re excited about the integration of our BCPINSIGHT™ web-based solution into VendorINSIGHT® and think we’re well ahead of the game as BCP and DR regain some of the top spots in the ERM dialogue in the coming year! With the BCP module, even your vendors can participate in your online tabletop exercises.

After almost a year as proposed guidance, the FFIEC issues their final Social Media guidance this week. An excellent overview was presented in Bank Info Security as relates to the impacts, shortfalls (from an internal security bias) and the new guidance requirements and expectations, but what is clear is that all institutions have responsibility for Social Media, whether they use it or not as part of their business practices. The requirements are spelled out, and again policies and procedures for monitoring of Social Media detail FI responsibility, without defining the mechanism for compliance. We believe we have the solutions required to demonstrate and attain full compliance with this expanded responsibility, as we have announced with our recently announced Social Media and Customer Complaint outsourced monitoring services.

We think that Kenneth Cline hit the nail squarely on head with his latest article on Social Collaboration published in the BAI Banking Strategies magazine. We cannot agree more with Cline’s key article tenet that decisions can no longer be made by just one person. We have supported this theory of internal and external collaboration within our software design since the inception of VendorInsight®.

After devouring the new OCC guidance (2013-29, “Third Party Relationships: Risk Management Guidance”) that replaces bulletin 2000-9, we recently released our latest Compliance Bulletin (November 12, 2013). [DOWNLOAD LINK] We weren’t really surprised by much. Most of the requirements and guidance are aligned with the development path we’ve been pursuing for well over a year now, affirming our strategic direction. In fact, we half expected this guidance as we prognosticated in our September 9 post. Now the real work begins. Customers will need to be guided to the features in VendorInsight® they may not be utilizing actively so that they can be protected and be compliant with the new expectations. One of the most significant prescriptions in the guidance: Vendor monitoring is now “essential.” Management controls and reviews are not enough. This guidance really affirms our leadership in the area of vendor monitoring. The good news: Even if you don’t run VendorInsight®, and utilize one of our competitors’ products to manage, you can subscribe to our vendor monitoring services.

On Friday of last week, the FDIC issued a clarifying Financial Institution Letter FIL-43-2013 related to facilitating customer payment processing, and the recognition that the regulatory risks of facilitating "high-risk activities" of business customers lies with the bank. Of note is this guidance only footnotes that higher-risk activities are typically characterized by high rates of return, high rates of unauthorized transactions, consumer complaints, or evidence of state or federal regulatory or criminal actions against the business customer. We will not be surprised to see this clarification expanded to encompass the CFPB efforts to solicit and record customer complaints and the push to require deeper exploration of your business customers. We believe that the inherent responsibility for expanded monitoring of available market information is a solution we will deliver with future releases of VendorINSIGHT®.

Naturally, items like the news below grab our attention just as they grab that of our customers! In a year flush with new regulatory guidance from FFIEC, FDIC, and CFPB, we are wondering if we are going to hear from OCC? Don’t be surprised if we see some new guidance. We are receiving a lot of intelligence from our customers about their examinations and this often foretells updated guidance and direction as regulators continue to raise the bar for third party risk management and direct banks to improve their programs.

Not in our opinion. We are in Chris Buses' camp when it comes to this issue. It is true that 5-7 years ago information security dominated the risk concerns when it came to outsourced and third party relationships, but with the FFIEC examination handbook updated in March 2008 the emphasis broadened to include many other dimensions of risk. Ultimately, that laid the groundwork for where we are today. Information security is just one small part of the vendor, or third party, risk management equation. And vendor risk management must be successfully integrated into an enterprise’s ERM program. Certainly, vendor management is a big enough, and complex enough process, that when done correctly, crosses a lot of organization boundaries and it requires its own system and dedicated resources to run efficiently and achieve good compliance. But vendor management also has to be integrated into a good ERM framework, which is why we built VendorINSIGHT® the way we did. In banking, for example, the successful CRO has broad-ranging risk management skills that span the two primary business elements - lending and deposits - as well as other affiliate services (insurance, etc.) and often brings a big-audit perspective that is essential to maintaining integrity in the ERM framework. The CRO often has a risk orientation focused on narrative and good documentation about business risks and trends and residual risks, as much as information security. We see information security as a specialty within the risk management department led by the CRO. Perhaps in a very small community bank this role can be assumed by one individual but we wouldn’t recommend it in a bank that is $1 B in assets or greater.

This Bank Safety & Soundness publication looks like it might be beneficial if you are a smaller community bank and need to get started with a formal ERM program. It reminded us that our guide to starting (or updating) your vendor management program is free! Check out the link on our web site or click the contact form link to be contacted to receive this. Our free Vendor Management Program Setup Kit includes things like a vendor management policy template, workflow diagram, information security checklist, risk assessment guide and other valuable tools that will have you up and running quickly. You can even get a demonstration or trial of VendorInsight® that will show you how all of these steps can be automated to help you organize everything and save time.

The efforts of the CFPB are now underway, and this guidance helps define the expectations of this new agency to ensure a self-regulating culture of compliance. It is clear in reviewing the self-policing, self-reporting, remediation and cooperation segments of the bulletin that financial institutions will need the right tool sets to capture and document service delivery failures that could manifest themselves as regulatory reviewable events. VendorINSIGHT® has the requisite dash boards, alerts and SLA tracking modules to keep up to date on vendor performance as measured around the institution. In addition our BCPInsight™ product allows for a disrupting event to be tracked and recorded in real time, to become the evidence that may be required to substantiate decisions and actions made during a calamity to a full-fledged crisis.