Prove It or Lose It! Update Your Vendor Management Policies and Procedures

If like me, you have had the opportunity to be examined by a regulator and survived, you’ll recognize the need to supply a copy of your vendor management policy and procedure documentation. The examiner will likely read these documents and then ask pointed questions for you to elaborate on. The goal of the examiner is to highlight your commitment and adherence of the policy and procedures and to not only demonstrate your understanding and knowledge, but to share real life “what if” scenarios.

Own The Manual

Increasingly, it’s evident that the level of review is becoming more sophisticated and in turn, examiners may well request actual documentation in the forms of testing results and or reports to further support the outlines contained in a policy document.

If you have taken the step of purchasing an off-the-shelf policy and procedure manual it’s important that you haven’t made the mistake of simply adding your company name and putting it back upon a shelf where it will inevitably gather dust and be pulled down again the minute you receive the examination request.  

The key takeaway here is that:

• You must “own” the manual.
• Understand it, adopt it and cut out any policy or procedure which does not align with your real day to day procedures or reconsider your current practices and amend them to align with the policy document!

Policy and Procedures Need to Align In Real Life

Here are a couple of examples when the policy, procedures and real life operational procedures don’t align.

Example 1:

• A lender had purchased a policy and procedures which outlined appraisal management. In it, the policy stated that the appraisal assignments were awarded to an appraiser based on their proximity to the subject property. For example, 10 miles for an urban location.
• However, in preparation for a mock exam, a keen vendor manager who had been asked to assist with the exam prep, had taken the time to read the company policies and then ran a test since they were also involved in vendor oversight within the appraisal department.
  
  By pulling a report based on subject property address and cross referencing to the appraiser’s primary business office, they discovered that appraisers were not working in their immediate geographic location and were exceeding the documented 10-mile assignment policy. The evidence suggested the opposite of what the policy had quoted.
  This resulted in additional research that suggested appraisal independence was not being adhered to.
  
  A secondary report showed an unusually high amount of appraisal orders being awarded to a small percentage of the appraisal panel, which further proved a violation of the distance requirement.
• The research was communicated to risk and compliance personnel who were then able to review the policy and procedure and review what, if any, compliance violations had occurred. Luckily this was discovered during a mock exam prep exercise. Had this been a real exam, the outcome could have been much different.

Example 2:

• A vendor management policy outlined the contract approval process. In this case, the policy was written by the vendor management team but had not been distributed to or acknowledged by several department heads.
• During an examination, it was noted that certain signatures of employees were on contracts which did not have the correct signing authority. In addition, the policy stated that the maximum term of a contract could not exceed 12 months. In the cases of the unauthorized contracts, terms were noted as agreed upon for 36-month terms.
• This placed the lender in a contractual bind with only a good faith effort and reliance of the strength of their existing relationship to exit or try to renegotiate the unfavorable terms with their vendor.
• More importantly, this resulted in a finding of non-compliance against their own internal policy manual.

What can we learn from these examples?

• Understand the policy and procedure content.
• Own, endorse and execute your policy manual!
• Communicate it to your organization, gain support for it and record acknowledgment of the policy by having staff commit to following it.
• Implement a policy which tests it by way of practical research in the forms of reports, data analysis, staff interviews, etc.
• Analyze the testing results and review against the policy and procedures. Make changes where applicable.
• Review often. Changes in staffing, scope, regulatory compliance and business process all should be natural triggers to review against the existing policy for required updates.
• Above all, unless it is written down, the policy or process cannot be proved to be in effect. Without testing of the policy or documented evidence that a process has been followed, you cannot reasonably expect to have a strong and robust policy and procedure program for any given discipline.

By adopting these best practices, you’ll put your organization in a stronger position to address the examiner’s questions regarding your internal policy and procedures records.