Look Before You Leap: A Checklist for Successful Vendor Relationship Management

vendor-management-6-9-15.pngBanks of all sizes increasingly are finding that it can be tough to go it alone. Instead, they are forging relationships and hiring external vendors to manage routine operations. These relationships can deliver substantial expertise and provide efficiency while also creating additional responsibility and risk. To uphold quality customer service, protect an institution’s reputation and maximize satisfaction with a vendor’s performance, banks must thoughtfully establish a framework for overseeing service providers.

Look at the Big Picture
Before addressing the day-to-day management of vendors, banks first should examine their enterprise-wide process for engaging service providers. Large banks often have an entire department committed to this endeavor. Smaller banks, which might lack the resources to dedicate employees to the effort exclusively, should establish a policy to govern their use of vendors. This approach creates a clearly communicated process for all employees to follow, avoids unnecessary duplication of work and keeps critical considerations top-of-mind when new relationships are being solidified.

As part of any vendor management policy, banks should make certain that vendors are:

  • Financially sound
  • Capable of providing services that meet a bank’s specific needs
  • Bound by a contract negotiated with proper protection of the bank
  • Prepared to undergo regular performance reviews

Setting Up Relationships for Success
Vendors are hired to handle a wide variety of responsibilities—from software systems and customer communications oversight to regular account maintenance; however, the best practices for managing vendor relationships typically do not vary. Following are steps to create successful relationships with service providers.

  1. Establish accountability. It is important to assign ownership of each vendor relationship, asking the manager most actively involved with a vendor to oversee its work. Without a primary point of contact accountable for a vendor’s activities, the quality of service could slip and potentially tarnish the bank’s reputation or cause financial harm.
  2. Share objectives from the start. Before beginning to work with a vendor, banks should make their objectives clear. Some of this information is contractual, but what about expectations that are not spelled out in writing? A relationship with a vendor can be defined by levels of service, such as the exact timing of when reports will be received or how quickly emails will be returned. Failure to identify such expectations upfront could result in dissatisfaction with a vendor’s performance as well as wasted time and resources.
  3. Create a performance scorecard. Relationship managers should assess the performance and costs associated with a vendor on a consistent basis. Regularly scheduled conversations or reviews are a good way to keep vendors on track toward meeting objectives. These discussions, which could be held as infrequently as twice a year or as regularly as weekly for critical service providers, are opportunities to talk about concerns and share any changes at the bank that could affect the vendor.
  4. Measure and manage risk on an ongoing basis. Vendors should be monitored regularly to assess their stability. Organizational developments at a service provider, such as a vendor filing for bankruptcy or making major changes to its service offerings, could have substantial consequences for a bank. Banks should work to remain up to date on any information that would necessitate switching to a more reliable provider.
  5. Evaluate alternatives. The best time to consider switching service providers is long before a vendor’s contract matures. If a manager believes a bank could receive better service or could find a more cost-effective vendor, then it is a good idea to explore alternatives early.

Redefined Regulatory Rules
In addition to helping banks better serve customers and operate more efficiently, managing vendors effectively is important for another reason: Bank regulators have increased their focus on vendor oversight and view it as essential to banks’ risk and performance management. Banks that fail to follow through in this area could face heightened regulatory scrutiny or penalties.

Overall, banks likely will find that forging a successful alliance with a vendor is similar to building any other healthy relationship—it will take time and commitment to make the relationship work for the long term. Given recent trends, banks should make sure they—and their customers—are getting the best possible value from their service providers.

Does Your Bank Need a Risk Committee?

5-30-14-emily-DC-risk.pngThe focus on the board’s role in managing risk has certainly been in the spotlight in the years following the financial crisis, with the regulatory bar raised regarding risk governance. While publicly traded institutions with more than $10 billion in assets are specifically required to establish separate risk committees of the board, many smaller banks are doing so as well. In March, Bank Director’s 2014 Risk Practices Survey found that more than half of institutions with between $1 billion and $5 billion in assets and 76 percent of those with between $5 billion and $10 billion in assets now govern risk within a separate committee. Data for institutions with less than $1 billion in assets was not collected.

When does a bank need a separate board-level risk committee? Despite the rising popularity of risk committees, many community banks have not taken this approach, but instead govern risk in the audit committee or as an entire board.

Regardless of size, banks with a more complex risk profile have a greater need to govern risk within a separate board-level committee. Not only does a more complex organization intrinsically have a more complex risk profile, its audit committee will be more heavily tasked, leaving less time to devote to risk management matters. In that situation, “the best case scenario is to have two separate committees,” says Jennifer Burke, partner at accounting and consulting firm Crowe Horwath LLP.

Jim McAlpin, partner at Bryan Cave LLP, believes it best to separate risk and audit responsibilities if the bank has qualified directors for both committees. “Not all boards have qualified directors for this,” he says. “Unless you have adequate capability on the board, it’s not helpful to have both committees.”

The ability of the board to place appropriate members on a risk committee is important, and having those skills mirror that of the bank’s audit committee may not be the best approach. The risk analysis process focuses on more than just financial risk and requires directors who can anticipate a variety of problems that could be faced by the institution. “It’s good to have directors with a compliance or risk background that are used to thinking outside of the box. The most beneficial aspect of the risk committee is anticipation,” he says. “The board can charge management to focus on areas where risks appear to be developing.”

He sees more banks bringing in new directors with these skills, and there is no shortage of qualified candidates. That said, larger institutions can better attract directors from outside the community and recruit for these skills, so risk and compliance expertise may not be found on the boards of smaller, less complex banks. “So far, the regulators understand this,” says McAlpin.

Generally, the more complex an organization is, the more likely the regulators will be to urge the establishment of a stand-alone risk committee. McAlpin recommends that a board look at how many different business lines the bank has, particularly in consumer-facing areas like mortgage lending. Over the past two years, scrutiny by the regulators on consumer compliance has grown significantly, he says, resulting in greater risk to the bank regarding these issues. Further risk analysis may also be required if the bank is involved in business lines that regulators deem to be unique or cutting edge.

The maturity of the bank’s risk management program could also dictate whether the bank is ready to establish a separate risk committee.

Crowe Horwath Partner Mike Percy says that a more mature and developed enterprise risk management (ERM) program will allow the board to better assess and monitor risk. Without the robust set of information provided through a mature ERM program, a risk committee won’t have much to contribute. “If you lead with [the risk committee] before the processes are mature, I think it just frustrates” board members, he says.

But McAlpin can see how a risk committee could precede development of an ERM program or the hiring of a chief risk officer. “The risk committee could be the body to take the steps of driving the hire of risk personnel or implementation of ERM,” he says.

A bigger bank is, typically, a more complex one, so banks with plans to grow, whether through organic means or by acquisition, may consider beefing up their approach to risk governance. Percy says that some regulators, notably the Office of the Comptroller of the Currency, consider risk committees to be a best practice for institutions approaching $10 billion in assets.

Burke says that a bank’s growth strategy should be considered when a board makes a decision to have a risk committee, and for those with a more aggressive growth plan a risk committee is a best practice. “You’re making changes, you’re growing [and] your strategy is different from what it’s been in the past,” says Burke.

Growth typically results in additional personnel, business lines and assets, particularly as the result of a merger, which could lessen the certainty that the board knows everything they need to know, says McAlpin.

“An acquisition strategy is just an additional complexity,” adds Percy. Banks with an eye to grow, particularly those above $1 billion in assets, need the infrastructure in place to support a larger organization, which could include a chief risk officer, an ERM program and a board-level risk committee.

“This side of the banking crisis, the attention to risk is greater than it was,” says Percy. Whether governed within a separate risk committee, combined with audit responsibilities or addressed as a full board, the board, along with senior management, is responsible for setting the tone for risk governance.

The Financial Stability Board, an international regulatory agency based in Basel, Switzerland, released guidance in April (“Guidance on Supervisory Interaction with Financial Institutions on Risk Culture”) that details the elements of a sound risk culture within a financial institution. Though primarily intended for an audience of large, systemically important institutions, this report provides some basic tenets that can be applied to institutions of all sizes. A key element of a sound risk culture that is perhaps the most applicable to bank directors is the establishment of an “effective system of controls commensurate with the scale and complexity of the financial institution.”

In addition to a mature ERM program, this system of controls would include proper oversight by the board. McAlpin recommends that boards work with senior management to determine what areas of risk require the board’s focus. Independent analysis should play a role in these decisions. “If the board relies only on senior management, that’s a big mistake,” he says.

Managing Operational Risk is About Managing Your Business Well

7-1-13_Sutherland.pngChinese proverb:  “If we don’t change direction soon, we will end up where we are going”…

The Basel Committee on Bank Supervision, and global regulatory momentum around the Basel Accords catalyzed an operational risk discipline by giving us a formal definition for it: “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” It also created a finite scope for the risk by laying down distinct event categories and descriptions of cause and effect. This meant that operational risk no longer needed to be described in the abstract or in residual terms such as “anything other than credit or market risk” (which, by the way, was never a meaningful statement at all, considering that the administration and management of credit and market risk are themselves fraught with operational risk).

Notwithstanding definitions and regulatory exhortations, operational risk has not evolved as a discipline in the last ten years since the Accords. There has been arguably material progress in measuring it (against losses, scenario and stress analysis, capital postulations), but managing it has been far from easy. Reasons include the fact that it is largely idiosyncratic (in credit and market risk debacles, you tend to sink and swim with everybody else) and asymmetric, since the risk is not passed on to your client and not priced into your products. Operational risk may also be called introspective, as likelihood and severity are both internally determined; and unbounded, as there is no upper limit to potential loss. Traditional belief has been that no portfolio view can be formed, as operational risk is not transactional. You don’t take on the risk or avoid it. It simply exists.

The basic construct of any operational risk program is as follows:

  1. Identify the major risks, as your taxonomy of risks (the Basel event categories should be fine)
  2. Position your internal control environment as a hedge or mitigation for these risks
  3. Through a regime of self-testing, reviews, audits, and risk/control indicators, establish if both the design and effectiveness of your control framework are good and fit for purpose
  4. Ask if your unmitigated risks (and control gaps) are acceptable, and within your appetite for risk

Do all this, and everybody is happy—even the regulator. Do too much, and you have wasted a lot of money, created a big bureaucracy and throttled the business. Do too little, and you have bet your whole business on one big accident.

The real key to managing operational risk lies in recognizing that it simply requires managing the business well, focusing on people, process and infrastructure optimization. This is where the risk-reward consideration, read cost-control, comes into play. A portfolio view of operational risk is in fact available, by looking at the process view of the organization, honing in on what risks arise in pursuing the business, how and where these risks arise in the process sequence, and what mix of people, process and infrastructure could optimally address these.

The implied focus therefore is in the structuring of the end-to-end control framework. This first requires you to clearly define your business objectives, service delivery standards, and compliance requirements. Next, identify the risks that arise in meeting or delivering those objectives, categorizing them along your taxonomy of risks. You can use the Basel framework. Then systematically identify which areas of your activity and processes are directly relevant to those objectives. This allows you to relate your operational risks to the specific processes and activities that carry those risks or are relevant to those risks. Focus then on defining controls where the risks are, specific to the process, in the optimal coverage amount and configuration. Maintain a dashboard of metrics that tell you if your residual (unmitigated) risks are within your risk-appetite and if the controls continue to be designed correctly and working properly. These might include some metrics of well being, similar to vital signs, that indicate business health. A second set of metrics might be smoke-detectors, by business, product, and process, with built-in lights that flash red, yellow, green against specific escalation triggers and trends.

Bottom-line, managing operational risk has never been more important than it is today, but never apparently has it been more conflicted between cost and control. It should not, and does not, need to be so!