• Brad Smith – President, Abound Resources
– More than 20 years experience helping community bank achieve their business goals with technology
– 500+ vendor evaluation projects in de novos to multi-billion dollar institutions
– Lead negotiator representing community financial institutions on 200+ software, hardware and outsourcing contracts valued at $150+ million
– Develop Abound’s vmRisk™ methodology – Former Manager of Deloitte & Touche’s Community
Bank Technology Consulting Practice – Technology advisor to several industry trade
associations
512-351-3700 [email protected]
Speaker
Who We Are
• Management consulting firm for the community banking industry
• We empower community financial institutions to achieve their goals. “Goals achieved. Guaranteed.”™
• Based in Austin, TX; clients in 40+ states • Founded in 1997 by former bankers and Big 5
consultants • 500+ software evaluations • Vendor neutral • Advisors average 20+ years in CFI management;
lending, cash management, risk management, operations and IT
• Endorsed by IBAT, ICBM and CUNA
What We Do
Goals achieved. Guaranteed.™
Vendor management practice (RightPath™ VM)
• Vendor Evaluations
• Vendor Utilization Improvement
• Contract Negotiations
• Conversion and Implementation
Services
• Ongoing Vendor Management and
Risk Monitoring
• What is Vendor Management?
• Why is It Important?
• The Biggest Issues We See
• Characteristics of a Good Vendor Relationship
• Case Study
• Best Practices and How to Do It
• Tips to Save Time and Improve Risk Management
• Action Steps
Agenda
• Ensure each vendor:
–Meets your needs
–Fulfills their contracts
–Provides value to your bank
• Your goals:
–Manage the risks associated with the vendor relationship
– Improve vendor ROI, performance and accountability
What Is Vendor Management?
• It is not about getting their financials and SAS 70s
• It is not about beating them up.
• No adversarial relationships.
Lose-lose
What Vendor Management Is Not
• Reliance on vendors brings risk.
• As such, it’s a regulatory hot button that will only get hotter
• ROI, service levels and performance issues
Why Is It Important?
• Vendor doesn’t provide the expected service due to bankruptcy, business interruption, etc.
• Buying something that doesn’t meet your needs or performs unsatisfactorily
• Vendor without proper security causing financial or reputational loss
• Ambiguous expectations delayed implementations, inefficient operations, extra costs, potential losses, customer impact
• Give up legal protections
Why It’s Important – Vendor Risks
• IT is now the second largest non-interest expense in community banks
• Community banks typically use less than 50% of their paid for functionality
• Poor vendor management (both IT and non-IT vendors) has a direct effect on bank’s ROI
– Decreased efficiencies
– Inability to offer products and services
– Negative impact on customer service
Why It’s Important – Service Levels/Performance Issues
“Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring”.
FFIEC
Why It’s Important – Regulatory Issues
Resources • FFIEC http://ithandbook.ffiec.gov/it-booklets.aspx • FIL-105-2007 http://www.fdic.gov/news/news/financial/2007/fil07105.html • FIL-81-2000 http://www.fdic.gov/news/news/financial/2000/fil0081.html • Section 501(b) of GLBA http://www.fdic.gov/news/news/financial/2001/fil0168.html • Outsourcing Technology Services http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx • FDIC’s Effective Practices for Selecting a Service Provider http://www.fdic.gov/news/news/financial/2001/fil0150b.html
General expectations • Vendor management policy • Vendor risk assessments at time of purchase and ongoing • Vendor due diligence at time of purchase and ongoing • Suggest Service Level Agreements (SLAs)
Why It’s Important – Regulatory Expectations
• Over promise and under-deliver
• No service level guarantees
• Finger pointing - integration and interface issues
• Sell and forget
• Don’t provide due diligence info
• Weak selection process; (buying based solely on a demo, no
consensus)
• Over-reliance
• Not holding vendors accountable
• Not holding themselves accountable
• Buy and forget
Vendors Banks
The Biggest Issues We See
• Pro-actively contact you beyond error resolution and new sales
• Look for ways to increase utilization
— Annual utilization study
— Report of support calls
— Personalized updates of new enhancements
• They look for ways to reduce costs
• Hold them accountable
• Hold yourselves accountable
• Include them occasionally in IT Steering Committee meetings
• Get their input into your strategic technology plan
• Are active in their users group
• Work together for BRP testing
They You
Characteristics of a Good Vendor Relationship
Case Study Exercise
• Discuss TriView’s Suppliers and Partners
• Identify Your Bank’s Suppliers and Partners
• Simple Risk Assessment for TriView
• Simple Risk Assessment for Your Bank
• Discuss Your Bank’s Due Diligence Requirements
• Discuss Your Bank’s Contract Points
Four Phases
1. Vendor Selection
2. Contract Negotiations
3. Implementation
4. Ongoing Optimization and Vendor Management
Amount of
Leverage
You
Have
How to Do It
“Vendor management begins before the purchase”
• Every bank needs a good vendor selection methodology. Build it into your Purchasing Policies.
• For larger/complex purchases, consider a structured, objective process that puts you in charge:
Needs analysis
RFI/RFP
Demos
Due diligence
Finalists
Vendor selection
Selecting the Right Vendor
• Define scope of services, products and responsibilities – No gray areas!
• Regulatory guarantees, notification of security breaches, participation in BRP, SAS 70 and financial reports, etc.
• SLA specifications with incentives/disincentives • Protect your interests; use outside counsel or consultant as
on big purchases • Orderly conversion • Regular meetings
Contract Negotiations
Contract Negotiations - SLAs
• An SLA is a formal negotiated agreement between the bank and their service provider. May also be a three party agreement to include multiple providers.
• It records the common understanding about:
– Services to be provided
– Priorities
– Responsibilities
– Performance guarantees
• The main purpose to agree on the level of service and the associated incentives/disincentives for meeting those responsibilities.
• SLA Exercise – EFT Services and lost revenue
• Poor implementation is nearly impossible to recover from
• Clear roles – typically they install or convert, you implement
• For software, don’t forget process redesign
• Project Management Best Practices
• Establish adequate system controls
• Segregated duties and dual controls
Implementation
• Put it on your IT Steering Committee Calendar
• Keep tabs on financial health of vendor
• Periodically review vendor performance
• Participate in user groups and band together
• Review invoices
• Identify vendor interdependencies/BRP testing
• Review vendor’s SAS70 annually
• Assign “owners” for each system
Ongoing Optimization and Vendor Management
Highlights from Abound Resources’ 2010 Vendor Management Survey
• Generally satisfied but believe vendor management will rise in priority in next 24 months
• Time is the biggest challenge
• Inconsistent process
• Manual, labor intensive process
• Lack of executive and Board-level oversight
Source: Abound Resources’ 2010 Vendor Management Survey
Time Saving Tip 1: Standardize vendor evaluation criteria
Benefits •Financial
benefits
•Product functionality
•Technical considerations
•Service and support
•Vendor strengths
Cost •Total 5 year
costs
•Capital costs
•Ongoing expenses
Risk •General
Vendor risk
•Financial risk
•Contractual risk
•SAS 70 risk
•BCP risk
Note: For illustration only
Tip 2: Agree on Evaluation Processes, When to Use
Purchase Price Risk Rating Tier Evaluation Method
High 1 Full RFP
High 2 Full RFP
High 3 or 4 Short RFP
Med 1 Full RFP
Med 2 Full or Short RFP
Med 3 or 4 Short RFP
Low 1 Short RFP
Low 2 Short RFP or 2 Bid
RFI
Low 3 or 4 2 Bid RFI
Note: For illustration only
Vendor Risk Management Conceptual Flow
Vendor Risk Assessment Due Diligence Requirements
Report of Adjusted Risk Due Diligence Review
Note: For illustration only
Tip 4: Use a 4 Tiered Risk Rating
Four-tiered Risk Assessment Approach
Three-tiered Risk Rating
Result?
107 fewer
documents to request, gather,
review and base
recommendations
from
Best Practices for Running Your Program
• Business decision, not “just a compliance issue”
• Less is more
• Don’t get lost in the weeds
• Standards and checklists
• Simple, visually effective report
1. Inventory your vendors and contracts
2. Assign an internal owner for each vendor relationship
3. Start tracking vendor issues
4. Grade your vendors on performance
5. Update purchasing policy and adopt a selection methodology.
6. Build standard language for all contracts.
7. Set a date for presenting Vendor Management updates to IT steering Committee.
Action Steps
• Vendor management begins before the purchase
• Hold each other accountable – it’s really
“relationship management”
• Regulatory scrutiny will increase but do it for
business reasons
Conclusion
How We Might Be of Help
• Vendor management: – Vendor management policies and programs – Vendor due diligence gathering and evaluation – Vendor evaluation/selection – Vendor utilization improvement – Vendor contract negotiations – Vendor conversion and implementation assistance
• Risk Management and Compliance – ERM Assessments and Plans – Risk Management Best Practice Reviews – IT Audits, Security Assessments – BSA/AML Reviews, Programs – Loan Review – Credit Risk Management Best Practices Review – Troubled bank assistance
Please contact:
Brad Smith Ryan Esquell President VP of Sales [email protected] [email protected]
512-351-3700 512-351-3702