Introduction to Vendor Management

BOI

October 15, 2013

• Brad Smith – President, Abound Resources

– More than 20 years experience helping community bank achieve their business goals with technology

– 500+ vendor evaluation projects in de novos to multi-billion dollar institutions

– Lead negotiator representing community financial institutions on 200+ software, hardware and outsourcing contracts valued at $150+ million

– Develop Abound’s vmRisk™ methodology – Former Manager of Deloitte & Touche’s Community

Bank Technology Consulting Practice – Technology advisor to several industry trade

associations

512-351-3700 bsmith@AboundResources.com

Speaker

Who We Are

• Management consulting firm for the community banking industry

• We empower community financial institutions to achieve their goals. “Goals achieved. Guaranteed.”™

• Based in Austin, TX; clients in 40+ states • Founded in 1997 by former bankers and Big 5

consultants • 500+ software evaluations • Vendor neutral • Advisors average 20+ years in CFI management;

lending, cash management, risk management, operations and IT

• Endorsed by IBAT, ICBM and CUNA

What We Do

Goals achieved. Guaranteed.™

Vendor management practice (RightPath™ VM)

• Vendor Evaluations

• Vendor Utilization Improvement

• Contract Negotiations

• Conversion and Implementation

Services

• Ongoing Vendor Management and

Risk Monitoring

• What is Vendor Management?

• Why is It Important?

• The Biggest Issues We See

• Characteristics of a Good Vendor Relationship

• Case Study

• Best Practices and How to Do It

• Tips to Save Time and Improve Risk Management

• Action Steps

Agenda

• Ensure each vendor:

–Meets your needs

–Fulfills their contracts

–Provides value to your bank

• Your goals:

–Manage the risks associated with the vendor relationship

– Improve vendor ROI, performance and accountability

What Is Vendor Management?

• It is not about getting their financials and SAS 70s

• It is not about beating them up.

• No adversarial relationships.

Lose-lose

What Vendor Management Is Not

• Reliance on vendors brings risk.

• As such, it’s a regulatory hot button that will only get hotter

• ROI, service levels and performance issues

Why Is It Important?

• Vendor doesn’t provide the expected service due to bankruptcy, business interruption, etc.

• Buying something that doesn’t meet your needs or performs unsatisfactorily

• Vendor without proper security causing financial or reputational loss

• Ambiguous expectations delayed implementations, inefficient operations, extra costs, potential losses, customer impact

• Give up legal protections

Why It’s Important – Vendor Risks

• IT is now the second largest non-interest expense in community banks

• Community banks typically use less than 50% of their paid for functionality

• Poor vendor management (both IT and non-IT vendors) has a direct effect on bank’s ROI

– Decreased efficiencies

– Inability to offer products and services

– Negative impact on customer service

Why It’s Important – Service Levels/Performance Issues

“Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring”.

FFIEC

Why It’s Important – Regulatory Issues

Resources • FFIEC http://ithandbook.ffiec.gov/it-booklets.aspx • FIL-105-2007 http://www.fdic.gov/news/news/financial/2007/fil07105.html • FIL-81-2000 http://www.fdic.gov/news/news/financial/2000/fil0081.html • Section 501(b) of GLBA http://www.fdic.gov/news/news/financial/2001/fil0168.html • Outsourcing Technology Services http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx • FDIC’s Effective Practices for Selecting a Service Provider http://www.fdic.gov/news/news/financial/2001/fil0150b.html

General expectations • Vendor management policy • Vendor risk assessments at time of purchase and ongoing • Vendor due diligence at time of purchase and ongoing • Suggest Service Level Agreements (SLAs)

Why It’s Important – Regulatory Expectations

• Over promise and under-deliver

• No service level guarantees

• Finger pointing - integration and interface issues

• Sell and forget

• Don’t provide due diligence info

• Weak selection process; (buying based solely on a demo, no

consensus)

• Over-reliance

• Not holding vendors accountable

• Not holding themselves accountable

• Buy and forget

Vendors Banks

The Biggest Issues We See

• Pro-actively contact you beyond error resolution and new sales

• Look for ways to increase utilization

— Annual utilization study

— Report of support calls

— Personalized updates of new enhancements

• They look for ways to reduce costs

• Hold them accountable

• Hold yourselves accountable

• Include them occasionally in IT Steering Committee meetings

• Get their input into your strategic technology plan

• Are active in their users group

• Work together for BRP testing

They You

Characteristics of a Good Vendor Relationship

Case Study Exercise

• Discuss TriView’s Suppliers and Partners

• Identify Your Bank’s Suppliers and Partners

• Simple Risk Assessment for TriView

• Simple Risk Assessment for Your Bank

• Discuss Your Bank’s Due Diligence Requirements

• Discuss Your Bank’s Contract Points

Four Phases

1. Vendor Selection

2. Contract Negotiations

3. Implementation

4. Ongoing Optimization and Vendor Management

Amount of

Leverage

You

Have

How to Do It

“Vendor management begins before the purchase”

• Every bank needs a good vendor selection methodology. Build it into your Purchasing Policies.

• For larger/complex purchases, consider a structured, objective process that puts you in charge:

Needs analysis

RFI/RFP

Demos

Due diligence

Finalists

Vendor selection

Selecting the Right Vendor

• Define scope of services, products and responsibilities – No gray areas!

• Regulatory guarantees, notification of security breaches, participation in BRP, SAS 70 and financial reports, etc.

• SLA specifications with incentives/disincentives • Protect your interests; use outside counsel or consultant as

on big purchases • Orderly conversion • Regular meetings

Contract Negotiations

Contract Negotiations - SLAs

• An SLA is a formal negotiated agreement between the bank and their service provider. May also be a three party agreement to include multiple providers.

• It records the common understanding about:

– Services to be provided

– Priorities

– Responsibilities

– Performance guarantees

• The main purpose to agree on the level of service and the associated incentives/disincentives for meeting those responsibilities.

• SLA Exercise – EFT Services and lost revenue

• Poor implementation is nearly impossible to recover from

• Clear roles – typically they install or convert, you implement

• For software, don’t forget process redesign

• Project Management Best Practices

• Establish adequate system controls

• Segregated duties and dual controls

Implementation

• Put it on your IT Steering Committee Calendar

• Keep tabs on financial health of vendor

• Periodically review vendor performance

• Participate in user groups and band together

• Review invoices

• Identify vendor interdependencies/BRP testing

• Review vendor’s SAS70 annually

• Assign “owners” for each system

Ongoing Optimization and Vendor Management

Highlights from Abound Resources’ 2010 Vendor Management Survey

• Generally satisfied but believe vendor management will rise in priority in next 24 months

• Time is the biggest challenge

• Inconsistent process

• Manual, labor intensive process

• Lack of executive and Board-level oversight

Source: Abound Resources’ 2010 Vendor Management Survey

Time Saving Tip 1: Standardize vendor evaluation criteria

Benefits •Financial

benefits

•Product functionality

•Technical considerations

•Service and support

•Vendor strengths

Cost •Total 5 year

costs

•Capital costs

•Ongoing expenses

Risk •General

Vendor risk

•Financial risk

•Contractual risk

•SAS 70 risk

•BCP risk

Note: For illustration only

Tip 2: Agree on Evaluation Processes, When to Use

Purchase Price Risk Rating Tier Evaluation Method

High 1 Full RFP

High 2 Full RFP

High 3 or 4 Short RFP

Med 1 Full RFP

Med 2 Full or Short RFP

Med 3 or 4 Short RFP

Low 1 Short RFP

Low 2 Short RFP or 2 Bid

RFI

Low 3 or 4 2 Bid RFI

Note: For illustration only

Tip 3: Negotiate in compliance and time savings

Vendor Risk Management Conceptual Flow

Vendor Risk Assessment Due Diligence Requirements

Report of Adjusted Risk Due Diligence Review

Note: For illustration only

Tip 4: Use a 4 Tiered Risk Rating

Four-tiered Risk Assessment Approach

Three-tiered Risk Rating

Result?

107 fewer

documents to request, gather,

review and base

recommendations

from

Tip 5: Only Ask for Documents You’re Going to Act On

Note: For illustration only

Tip 6: Automate and/or outsource

Best Practices for Running Your Program

• Business decision, not “just a compliance issue”

• Less is more

• Don’t get lost in the weeds

• Standards and checklists

• Simple, visually effective report

1. Inventory your vendors and contracts

2. Assign an internal owner for each vendor relationship

3. Start tracking vendor issues

4. Grade your vendors on performance

5. Update purchasing policy and adopt a selection methodology.

6. Build standard language for all contracts.

7. Set a date for presenting Vendor Management updates to IT steering Committee.

Action Steps

• Vendor management begins before the purchase

• Hold each other accountable – it’s really

“relationship management”

• Regulatory scrutiny will increase but do it for

business reasons

Conclusion

Questions

How We Might Be of Help

• Vendor management: – Vendor management policies and programs – Vendor due diligence gathering and evaluation – Vendor evaluation/selection – Vendor utilization improvement – Vendor contract negotiations – Vendor conversion and implementation assistance

• Risk Management and Compliance – ERM Assessments and Plans – Risk Management Best Practice Reviews – IT Audits, Security Assessments – BSA/AML Reviews, Programs – Loan Review – Credit Risk Management Best Practices Review – Troubled bank assistance

Please contact:

Brad Smith Ryan Esquell President VP of Sales bsmith@AboundResources.com resquell@AboundResources.com

512-351-3700 512-351-3702