Recently, we spoke to an officer of a well-known financial institution about the organization’s 3rd-party compliance challenges. The institution had wrapped their vendor compliance management into their larger Operational Risk Management program, as it should be. There was one glaring problem, they failed to apply a complete ORM methodology to their vendor monitoring. When discussing ORM, one rule stands above all others: Operational Risk Management is the exact same process across all fields and all departments. The most common error we witness is the tendency of organizations to be ridiculously thorough with part of the process, allowing the rest to slide. Let’s look at the process first.
The average bank or credit union is usually adept at the first two steps in the process. Either through internal subject matter experts or external specialists, (such as our valued partners at CBIZ for banking and AuditLink for credit unions – both trusted partners of Trust Exchange) the identification, assessment/risk-ranking of a vendor are thoroughly processed. It’s the final three steps that sometimes fall through the cracks.
Step 3 – Make Risk Decisions:
When it comes to vendors, one size does NOT fit all. Yet, many organizations habitually assign blanket measures to their critical and high-risk vendors. By doing so, your organization produces multiple negative effects. First, you are actually concentrating your overall risk by reducing the eligible vendor pool. For many well-qualified vendors, your concrete set of controls are outside of their capabilities and cash-flow. The ideal ORM system provides multiple routes to vendor compliance by giving them the opportunity to choose between the standard “A” method or a “B+C” method, with higher frequency. Second, you are limiting your organization’s access to new technology and new thinking by implementing a system that compels doing business with established, legacy operators. It’s one of the biggest reasons the banking industry is in a panicked race to catch-up with RegTech and FinTech startups that have exploded on to the market recently.
Step 4 – Implement Controls:
This is where the controls are made clear to your vendor, as well as your expectations. How does your organization do this right now? In most vendor management programs, this tends to be a top-down methodology. You tell your vendor what your requirements are and when they are due. Often, this also requires you to hunt the required information or documents down – an expensive and very time-consuming task. The ideal system allows (and even encourages) your vendors to push the information to your team as it comes available.
Consider your vendor’s perspective. That single vendor may have 100+ clients demanding that compliance requirements be fulfilled through 100 separate requests at 100 distinct time in the calendar year. What if you provided your vendor the opportunity to securely pass that information to all their clients in a single push? Would they be a more willing partner in your business relationship? Absolutely.
Step 5 – Supervise and Monitor:
Operational Risk Management should be a real-time activity. If your team finds itself in the painful position of asking why a vendor-related failure occurred, you need to rethink and rebuild your vendor monitoring system. It’s the extremely rare occasion that a catastrophic failure happens out of the blue. Natural disasters aside, failure leaves clues early in the process. Your vendor monitoring system should be able to tell you when a vendor is reporting as required, when they are getting close and when material changes happen - without your team having to open a file cabinet or spreadsheet. Once you have migrated from management to monitoring in real-time, your team can see problems as they develop and make changes before the alarm bells ring.
The Next Step:
There is no turn-key product to an effective and complete ORM program. The whole team’s effort and experience is required. The team’s time is valuable – don’t waste it. You know your business, leverage that knowledge; and when the regulation load increases, there are external specialists that can get you caught up quickly. Automate where you it makes sense. Your time should be spent strengthening your vendor relationships rather than adversarial hunt for information that it often becomes. Trust Exchange will automate your vendor monitoring program where it should be, giving your team the time it needs to do the human side of your job.
· Provide your vendors options in compliance controls.
· Automate where it makes sense.
· Use a system that encourages your vendors to push you the data.
· Monitor you vendors in real-time.
· Focus your human resources where they are best utilized – relationship building.
Trust Exchange has built a platform that will do all this for you, customized and priced to your exact needs – nothing more. Ask for a demo.