If the thought of planning in January for your 2017 vendor management goals feels like a distant memory, you’re probably not on your own. Like any news year's resolution, the initial goal is new and exciting… it’s why gym membership sales flourish in January only for actual attendance to drop off in later months.
Following through on your vendor management program can also feel the same. You know you must do it, but somewhere there is a reluctance to get it done. Perhaps it’s a lack of resources, support from executive management or a weak compliance management framework. A common reason is simply not knowing where to begin! The result could be mediocre check the box type reviews, not finalizing a draft report or, worse still, not getting the buy-in at the board level.
Don’t Give Up on Those Vendor Management Goals!
Granted, it’s September 2017, but if you’re in a position where you're still in the racing blocks and haven’t made a start in your vendor management program then you could, with some careful planning, still make it past the finish line before end of year.
A colleague once sent me a photograph which to this day I quote to my team when faced with a project. The photo has a caption. How do you eat an elephant? The answer: One bite at a time.
That mindset is really what will help you as you take stock of your vendors and deliver a final product for regulatory examination. If you give up now and decide that you’ll skip this year’s regulatory requirement but then receive a notice of audit from the CFPB in January then you’ll find yourself asking why you didn’t use the last 4 months of 2017 to make a push.
It’s worth noting that asking anyone in the financial services industry their opinion of the regulators may be met with a few descriptions that frankly I can’t publish here BUT in speaking with several examiners, I have found that a commonality they share is that they mainly want to see there is a level of effort behind the organization. Inaction simply isn’t an excuse and rightly so.
Use Common Sense In Your Tactical Approach
If you vendor list is in the hundreds and you have limited resources, then the most efficient way to backfill 2017 in oversight is to look at a couple of areas on your vendor list:
- Generate a complete vendor list report
- Define risk ratings, critical, high, medium, minimal risk vendors
- Add a separate field to the report which details spend
- Think about where the risk lies in using these vendors - access to NPPI, known data breaches, criticality to business operations
- Your core list of critical vendors may produce a far shorter list than you had initially expected given the typical 100+ long list of vendor panels we review for clients
The list may contain vendors who perform the bulk of the fulfilment services. These may include:
- Credit Reporting Firm
- Document Preparation
- Loan Origination System
- Compliance Software
- Contract Underwriting
- Mortgage Insurance Providers
- Verification Services
- Imaging Software
With many vendors now offering multiple product lines, pay attention to those vendors since there are additional layers of risk. It's likely that you have increased your dependence on the vendor products and a wider range of vendor staff will have access to your data. To learn more about the pros and cons of concentration risk click here.
The main point is that while you may have been slow to get the vendor management program underway, you are now at least making something of a potentially tough situation should a regulator catch you off-guard and decide to audit you before the end of the year.
Don’t Forget Your Policy and Procedure Manual!
We’ll assume that you are now able to perform oversight on the critical vendors and have prioritized based on criticality, performance or spend concentration. You may also want to consider re-writing a new Vendor Management Policy.
If your existing policy stated that all vendors would be reviewed during the year with XYZ scope, then in essence you will be out of compliance with your own compliance management system. If you find yourself in this position then either re-write the policy or include a policy addendum.
It's important that you get the blessing of the executive team on updating the policy as this could be a red flag to an auditor without demonstrating some level of review and version control.
Prevent the Vendor Management Scramble from Happening Again
The above exercise is based on fact. I have witnessed it first-hand. Scrambling to meet a regulatory requirement is a never a fun experience. Given the elephant scenario, one bite at a time over a 12-month time frame leaves a lot less room for indigestion than trying to accomplish the same task in 4 months.
If your organization finds yourself in a similar position, consider outsourcing some of the oversight pieces to help limit this from happening again. Here’s to a 2018 Vendor Management program with a full 12 months dedicated to it. Good luck!
And P.S…Don’t forget the gym membership!
For more audit tips, download our Third Party Risk Management Audit Checklist.