News Updates by Bradley Martin


Vendor Management (the series) Part 1

Vendor Management; Vendor Risk Management; Vendor Relationship Management; Contracts Management

What’s your framework for Vendor Management?


For the last 16+ years, the Financial Industry (FI) has struggled with Vendor Management or as it is now referred to as Third Party Management. Most institutions can cite the Office of the Comptroller of the Currency’s bulletin 2001-47 as the genesis of their program, which came out in the fall of 2001.  At that time I was gleefully working as a Vendor Manager at EarthLink, Inc. an early pioneer in the Internet Service Provider space, competing with AOL and MSN for dial-up subscribers. However, we were knee deep in Vendor Management, as EarthLink outsourced its network, working with AT&T, Verizon, Qwest and riding on the networks of UUNet, PSINet, Genuity, Covad and Level3. Some of those names survived, most, like EarthLink, did not. I spent 11 years working a variety of jobs at EarthLink, the bulk of that time, in fact 9+ years of it, working with Vendors. 

EarthLink was not mandated to have a Vendor Management department, like the FIs under regulatory supervision today. (For the pedantic; yes, I understand there’s not a mandate in the guidance. However without a department it is extremely difficult to meet your regulatory obligations.) Back in the early days of EarthLink, some considered the Vendor Management group to be part of Carrier Services (a telecom group); others saw us as Project Managers (a title we carried for some time). The problem with the Project Management title was, of course, the fact our project never ended (no beginning; middle and end). The group at EarthLink reached its final department name as Operations Business Management (OBM) and we were Vendor Managers in OBM. 
As such, we “managed” the relationship of hundreds of vendors (primarily telecom with software and peering arrangements intermixed). We negotiated the contracts and oversaw the performance. This meant when service was disrupted (sometimes at 3am) the Vendor Manager was called to support escalation. I would then wake up the sales and support team members of the responsible vendor. My “joke” was if I’m up because of an outage, we’re all up until it’s fixed! In the early days, we spent a lot of time on phones troubleshooting outages. I was a slave to my vendor contact list (which lived in my Palm Pilot / Treo). I built relationships with people, which I still have contact with to this day. 
More importantly, we learned to build and maintain a network both figuratively and literally.  The physical network we built was one which we did not own, yet we had a huge reliance on this network. It takes a new skill set; one that we all learned on the job. There were no schools, no training or certification programs and there were no regulations forcing us to manage our vendors and least of all manage the vendor risk. 
When EarthLink acquired physical network, there were large debates about keeping physical plant. However the cost differentials were so great, that in the end, the choice was to continue to outsource the dial-up network. A decision which may be why EarthLink no longer exists as one of the top three Internet Service Providers. That’s a topic we will touch on in later chapters. 
When I became involved with Contracts Management at a large financial firm in southern California, I was a bit surprised. The first thing I thought when I read OCC 2001-47, was “Wow! The regulators have given the FIs a map to vendor management.” Frankly, a map we could have used in the early days at EarthLink. I dug into the regulations, starting with 2001-47, and then diving in to the Federal Financial Institutions Examination Council (FFIEC) IT Handbooks. It was more than a map; it was a treasure trove of information and bullets for the negotiation gun.
Those early days the negotiations with vendors included statements like,” I have to have SLAs in the contract, the FFIEC OTS and TSP guidance says I have to SLAs.” I used the guidance to outline contract standards; which included drafting contract boilerplate. Guidance has been the foundation for new Policy statements, with some very blatant plagiarism. It also forms the questionnaires we use with business owners and with our vendors.  
Yet, I still see FIs struggling with the basics. I assume the OCC felt the same way. In October 2013, the OCC issued new guidance with bulletin 2013-29, which replaced 2001-47; followed by the Federal Reserve Board, which issued Supervisory Letter 13-19 in December 2013. The regulators are attempting to provide a bit more prescriptive guidance on managing Third Party / Vendor Risk. And still, the FIs are not listening, at least that’s the perception given the recent criticism from the FDIC OIG report issued February 15, 2017 (report no. EVAL-17-004). This report is titled “Technology Service Provider Contracts with FDIC-Supervised Institutions,” which was highly critical of the contracts they reviewed. 
The FDIC OIG report stated there did not appear to be any evidence the FIs gave any consideration to the impact should the vendors’ services fail. Having read the report a few times now, and thinking of my own personal experiences over the last 10 years, I think the FDIC OIG got it right. 
Now, there are a number of readers, I have no doubt that are shaking their heads and saying things, like, “We have DR plans; we’ve tested those plans, and even ran drills with our vendors  So consideration was given, it just failed to make it into the contract.  What’s the big deal?” Others are adding to that with statements, like “If we have done the work and can show we have plans in place with our vendors, what’s it matter if it’s not in the contract?” But for the legally minded out there, we know if it is not expressly stated in the agreement, it doesn’t exist as an obligation. Worse yet, what happens when your vendor cannot or simply will not perform against those plans? Do you have a contingency plan if your vendor becomes your competition? (Look back at EarthLink, MSN and AOL; who provides your Internet access today; AT&T or Verizon?)
This is a large gap in our management of the vendor. If you did not fight to get the business continuity and disaster recovery plans as part of the contract obligation, why do you now believe the vendor will provide anything in the event of a disaster? Further, if it was not part of a deep conversation and due diligence exercise prior to executing the agreement, you have zero assurances the vendor will lift a finger; instead they may simply claim an Act of God (force majeure event) and disclaim any further responsibility to the contract obligations. 
What’s going on with your business now? The service is down-hard… Customers are calling to complain. Some are now posting hate messages on social media. A few are issuing complaints with the newly formed Consumer Federal Protection Bureau (CFPB). The boss is calling…asking WTF? The CIO and CTO are getting yelled at by the CEO. They are calling you, and you’ve called the vendor, and the vendor repeats, “there is nothing we can do.” And then they add “and there’s nothing we are required to do. Sorry.” 
“Well Thanks Bradley!!” you say with a large quantity of sarcasm. “I can go to bed and sleep easy now!” 
So where do we start?
I think we first need to understand, “What is Vendor Management?”
Over the last 20 years, I’ve had more than a few bosses. All of them had a different idea or philosophy regarding Vendor Management. Some were very hands on and some stayed on the periphery, scrutinizing from time to time. You know what I discovered over the last 20 years. Brilliant as all those bosses were, with just one or two exceptions, Vendor Management was a secondary role for them. 
If you search the Internet you might find the Gartner IT Glossary which states that “Vendor Management is a discipline that enables organizations to control costs, drive service excellence and mitigate risks to gain increased value from their vendors through the deal life cycle.”
It goes on with a bit of a sales pitch regarding why you want to use Gartner. There are some good things in that definition; but I’d start here… 
My short answer to “What is Vendor Management?” is “Vendor Management is a process!”  And I recognize this is a bit frustrating for the operationally minded; but just as Gartner’s definition implies, there is a discipline associated to Vendor Management, which one sentence; or even one paragraph cannot adequately define Vendor Management.
If we are going to fully understand the breadth and width of the Vendor Management Process, or Vendor Risk Management, or Contracts Management, or Vendor Relationship Management, or whatever name you want to give it, we need to set an objective. What are we trying to do as a business? We are outsourcing a service because we either do not have the skill set, or it is too costly to do it on our own. There may be some other minor nuances, but it boils down to it being more cost effective to use a vendor. So, the purpose of Vendor Management is to ensure we are receiving the full value of the services purchased from the vendor. 
Fantastic! We have a definition… “Vendor Management is a Process!!” and an Objective, which is to ensure we are receiving full value from the services we purchased.



FDIC OIG Report says FIs Lack Contracting Skills

The FDIC Office of Inspector General released a report on February 15, highly critical of Financial Institutions (FIs) lack "...of risk assessments or contract due diligence." The report stated in the OIGs review of Technology Service Provider (TSP) contracts with FIs, the contracts did not include critical contract provisions "to manage its own business continuity planning and incident response and reporting operations." Additionally the report cites the contracts did not sufficiently define key terms related to BCP and incident response. As a result most contracts with FIs and TSPs lack assurances the TSP "could recover and resume critical systems" and further lacked obligations of the TSP to "take appropriate steps to contain and control incidents."

The FDIC OIG Report, is a finding on the symptoms to a bigger problem.

From my perspective this is much to blame on the lack of training IT staff are given regarding contracting and risk management. Basic negotiation skills are not why we hired IT staff. Of course, the executive teams place an inordinate amount of pressure on IT staff to get it going "now!" Of course, both IT and executive management punt the contract to Legal. The Legal department, while being experts on the law, are relying on the IT department to be experts in the product/service they are buying; and Legal needs the executive team to approve the spend.

The problem? NO ONE wants to look at the problem for all three perspectives at once (albeit it is difficult to find someone with Technology, Finance and Negotiation skills).  So most FIs, under pressure from the regulators, throw "consultants" at the problem.  The problem with that tactic... the majority of consultants lack any real practical experience in all three areas (book smart vs. street smart).  If you've recently hired a consultant to help here, I imagine you have a lot of new policy and procedures to process. Do you feel like you are any better off? Or is the account a few $100k lighter.  

Over the last 20 years of my career I have fought this battle internally and externally. It's not easy. Building a good program to manage Vendor Risk and establish a full Vendor Management Program (Sourcing, Risk, Contract and Relationship) should be built into your corporate strategy (regardless of industry). Simply, as you increase your reliance on third party services, you need to increase your capabilities to properly manage those third party services.

Again, the FDIC OIG Report, is a finding on the symptoms to a bigger problem.


Director Cordray sends warning to vendors on TRID rule compliance 

Did you see this article?

Director Cordray sends warning to vendors of TRID rule compliance... 10/20/2015

If not, you should really take a look.  And if you're a vendor/supplier to FIs... You really need to take a look.  In short, if the vendor isn't pulling his/her weight, FIs may be forced to stop using the service.  Do you have the correct contract clause to cover you? Or are the termination liabilities?  And to you

vendors; if the CFPB tells the FI to leave, what is your recourse? 



Third Party Risk Management Program

 Did you inherit a program, policy, procedure and you're asking yourself where to start?  (Secretly asking your-self, what the hell did I get myself into?) Are you scrambling to understand your companies eGRC platform (OpenPages, Archer, Metricstream, R-sam, etc.)? Or maybe you're just following a process that someone else put in place; you're doing it well, but have no idea why you’re doing it.

I can definitively say you are not alone. If you look at most resumes, LinkedIn profiles and talk to HR departments, people are moving from job to job on a 3 to 5 year cycle.  We're all aware the 30-years, gold watch and pension programs are long gone.  We change jobs... and maybe that's what you just did.


Now you're looking at a complex, complicated and overwhelming process. You may have a Procurement background, or you came from Legal or Contracts Management, maybe your last job was Enterprise Risk Management, or Information Security.  

So, do you know your departments Purpose, Mission and Values? What are your Initiatives? Are you being asked by Managers, Executives, and HR to create SMART Goals and establish time-lines, work toward deadlines to achieve your milestones? I’m going to assume yes.

 Let me help… Your program needs to cover Four Strategic Initiatives.  

  • Vendor Relationship Management
  • Vendor Risk Management
  • Strategic Sourcing and Due Diligence
  • Contracts Management and Administration 

FIS Busy SunGard - Need for Vendor Simplicity? 

Gary Norcross, President and CEO of FIS made the statement yesterday, "We believe SunGard is a perfect fit." Norcross stated big financial institutions want to deal with fewer vendors, making it an advantage to have FIS and SunGard packaged.  

What it really means is we will have a more difficult time understanding the concentration risk factors that must now be considered. Don't get me wrong, I completely understand the desire to put the eggs all in one basket. It is simply easier to bring them to market. Plus, if I want an omelet, we don't have to go far.  Oh yes... there is the old adage of having only one throat to choke when things spin out of control. 

But the fact is my relationship with large, multi-product service providers is already far more complicated.  Large service providers like FIS, Fiserv, Jack Henry, D&H, etc. are already internally silo'd like Microsoft, Oracel, Cisco are in the tech side.  So does it really feel like it's any easier to work with one vendor verses multiple vendors?