Vendor Management Is Risk Management

Just because you outsource it, you’re still responsible for it. — Terry Ammons

By Alaina Webster

At a time when more and more financial institutions are outsourcing pieces of their operations, good vendor management has become crucial to success. From improving the bottom line to staying in the good graces of regulators, staying on top of vendor services and understanding the vulnerabilities they present is a key challenge.

Terry Ammons, partner at Atlanta-based CPA advisory firm Porter Keadle Moore, believes that good vendor management starts with the board and executive management, but if done properly, it also involves other departments that may have knowledge of a system or tool that those higher up lack.

Moreover, good vendor management, “aligns with the overall business strategy, the strategic direction the bank wants to go, related to new products and services,” Ammons says.

“Once you make an assessment risk, and you decide that you’re going to choose to take the risk, and you’re going to use the vendor, then you assign people who know what they’re doing to oversee the process over time,” he continues.

Ammons points to his own firm, which provides vendor management assessments and services, as an example. Only about 15 percent of PKM’s clients, he believes, ever ask for an overview of the firm’s security procedures before handing over access to bank/credit union data.

Banks should be asking if they have to share their data with a company as part of a third-party service. “If the answer is yes,” he says, “then at least you need to figure out what they’re doing with that, how often they get it, how they’re keeping it secure on their end.”

Vendor management, he cautions, should never be one person’s job alone. There’s a danger in looking at VM “as an administrative task that you’ve got to do, sort of like doing your tax returns,” Ammons says.

Moreover, Ammons notes, compliance and regulation are also tied into relationships with outside vendors.

“Whoever your bank or credit union regulator is, they’re going to be looking at the vendor management process you have in place,” he says. “You’ve got to think about those things when you’re dealing with this stuff.

“Every regulated financial institution has to have at least an annual review of their vendor management program.”

When considering partnering with a vendor, Ammons suggests FIs consider their overall strategy, what services a particular company provides and how these fit into the future and growth of the financial institution.

“What do you want to do? How much do you want to grow? What new products do you want? Who do you want to serve? How do you want to be different in 3 to 5 years?” he says.

He also recommends that FIs pay particular attention to fintechs as PKM works with and understands several operators in this sector.

“Unless they’ve got some experience and they’ve worked with banks before, a lot of these startup companies are just young people who have a good idea,” he says. “They think they’re going to change the world, but they don’t understand how a bank works on the back end or what their regulatory issues are.

“That’s why vendor management is more and more important because so many more things are outsourced than they used to be,” he concludes. “Used to be you had your core sitting in a big room with glass walls and the data never left the premises, and so the only way … something would happen was you’d lose a paper report or something like that.

“We have clients how … they outsource every single thing … You end up with banks that really don’t have IT people, so you become highly dependent on your third-parties, and that’s why vendor management is so important.”

Alaina Webster, Managing Editor,

  • Sign Up

  • Categories

  • Archive

Software: Kryptronic eCommerce, Copyright 1999-2019 Kryptronic, Inc. Exec Time: 0.059173 Seconds Memory Usage: 3.807922 Megabytes