By now, many organizations have begun to receive control audit reports covering 2017 (SOC1/SSAE18 and SOC2). One element of note is the emergence of subservice organizations, or fourth parties, in reports generated after May 1, 2017.

It is interesting to see the reveal of underlying providers (fourth parties) within the updated reporting formats. While these new formats intentionally define what is being performed by contracted fourth parties, the disclosure of who is performing these efforts is often not as revealing as we expected or hoped. At times, there is a fog placed on the identities of fourth parties; phrases like "industry-recognized third party" or "subservice organization" are inserted in place of the names of the companies your vendors have outsourced responsibilities to.

New tax plan is enabling many banks to invest in technology that helps them be more competitive. Vendor management is leading the way. 

At this year's ABA National Conference for Community Bankers (NCCB), ABA President Rob Nichols
discussed how banks are already spending based on savings they'll see under the new tax plan. According to ABA polling, banks are reinvesting their projected tax savings in their employees, customer growth, philanthropic activities, and technology to help them gain a competitive edge. This is going to put pressure on other banks to invest or get left behind.

As vendor management has evolved from contract management a decade ago, focused upon risk management and regulatory compliance, the emerging challenge is keeping track of all the elements required to keep pace. You can no longer run an Excel or SharePoint solution from a server in the corner of the IT Department to get the job done. Vendor management requirements have grown too large and too widespread.

Vendor risk management, as defined by the FFIEC across a multitude of vendor analytical dimensions, was the first layer of complexity to be placed on top of traditional document repository contract management systems. Today’s fully-featured solutions have expanded upon this layer to include vendor news monitoring, vendor risk alerting, performance risk inclusive of SLA monitoring, the many facets of onboarding and ongoing due diligence review and risk assessment, complaint and social media monitoring, information and cyber security reviews, on-site evaluations, fourth-party risk review practices, and most recently, the newly unveiled concentration risk analysis. 

The key to a successful vendor management program is in the quality of its tracking and documentation:

-What vendor documentation do you have?
-When does it need to be updated?
-What documentation have you reviewed?
-Where do you require added focus or should concern be raised?
-Who are you still waiting on to respond?
-What needs to be reported upward?
-How long has it been since last contact?
-How is the vendor performing against the contract?
-When does the contract renew and what are your options to terminate/renegotiate?

We see a lot of companies overthink their vendor management program. Inevitably, they end up tangled in a complicated process design. By its very nature, vendor management is a simple process.

Strategic planning isn't just for business. It can also be used as an effective tool to guide the development of your vendor management program. Asking key questions will reveal insights, force you to face realities and help ensure that you anticipate changes that will occur in the future. Some of these questions might be: "What are the biggest threats and risks my vendor management and third party risk management process face?" or "What resource allocations and succession plans need to be in place to ensure delivery for the future?" or "Do I expect competition to emerge for the risk management services I currently provide for my company?" or "Where do I expect technology to converge to bring me improved productivity in meeting regulatory requirements?"

If you are thinking that vendor management and third party risk management is complicated enough that you have your hands full just keeping up with today's requirements and that strategic planning would be a luxury, you are not alone. VendorINSIGHT, through our office of Client Development, has developed a worksheet that walks customers through the questions they need to ask. This worksheet paints a picture of the complexity, challenges, resources, and trends they will face in the future. It also delivers insights from our industry interactions, customer experiences, and assessment of what the regulators are saying. Completing this exercise can help you communicate to your management team where and when they should expect you to ask for more resources, make additional investments in systems and technology, and how you will develop the existing resources you have so you can be as effective and as efficient as possible.