Main | FDIC OIG Report says FIs Lack Contracting Skills »
Friday
May192017

Vendor Management (the series) Part 1

Vendor Management; Vendor Risk Management; Vendor Relationship Management; Contracts Management

What’s your framework for Vendor Management?

-

For the last 16+ years, the Financial Industry (FI) has struggled with Vendor Management or as it is now referred to as Third Party Management. Most institutions can cite the Office of the Comptroller of the Currency’s bulletin 2001-47 as the genesis of their program, which came out in the fall of 2001.  At that time I was gleefully working as a Vendor Manager at EarthLink, Inc. an early pioneer in the Internet Service Provider space, competing with AOL and MSN for dial-up subscribers. However, we were knee deep in Vendor Management, as EarthLink outsourced its network, working with AT&T, Verizon, Qwest and riding on the networks of UUNet, PSINet, Genuity, Covad and Level3. Some of those names survived, most, like EarthLink, did not. I spent 11 years working a variety of jobs at EarthLink, the bulk of that time, in fact 9+ years of it, working with Vendors. 

-
EarthLink was not mandated to have a Vendor Management department, like the FIs under regulatory supervision today. (For the pedantic; yes, I understand there’s not a mandate in the guidance. However without a department it is extremely difficult to meet your regulatory obligations.) Back in the early days of EarthLink, some considered the Vendor Management group to be part of Carrier Services (a telecom group); others saw us as Project Managers (a title we carried for some time). The problem with the Project Management title was, of course, the fact our project never ended (no beginning; middle and end). The group at EarthLink reached its final department name as Operations Business Management (OBM) and we were Vendor Managers in OBM. 
-
As such, we “managed” the relationship of hundreds of vendors (primarily telecom with software and peering arrangements intermixed). We negotiated the contracts and oversaw the performance. This meant when service was disrupted (sometimes at 3am) the Vendor Manager was called to support escalation. I would then wake up the sales and support team members of the responsible vendor. My “joke” was if I’m up because of an outage, we’re all up until it’s fixed! In the early days, we spent a lot of time on phones troubleshooting outages. I was a slave to my vendor contact list (which lived in my Palm Pilot / Treo). I built relationships with people, which I still have contact with to this day. 
-
More importantly, we learned to build and maintain a network both figuratively and literally.  The physical network we built was one which we did not own, yet we had a huge reliance on this network. It takes a new skill set; one that we all learned on the job. There were no schools, no training or certification programs and there were no regulations forcing us to manage our vendors and least of all manage the vendor risk. 
-
When EarthLink acquired physical network, there were large debates about keeping physical plant. However the cost differentials were so great, that in the end, the choice was to continue to outsource the dial-up network. A decision which may be why EarthLink no longer exists as one of the top three Internet Service Providers. That’s a topic we will touch on in later chapters. 
---
When I became involved with Contracts Management at a large financial firm in southern California, I was a bit surprised. The first thing I thought when I read OCC 2001-47, was “Wow! The regulators have given the FIs a map to vendor management.” Frankly, a map we could have used in the early days at EarthLink. I dug into the regulations, starting with 2001-47, and then diving in to the Federal Financial Institutions Examination Council (FFIEC) IT Handbooks. It was more than a map; it was a treasure trove of information and bullets for the negotiation gun.
-
Those early days the negotiations with vendors included statements like,” I have to have SLAs in the contract, the FFIEC OTS and TSP guidance says I have to SLAs.” I used the guidance to outline contract standards; which included drafting contract boilerplate. Guidance has been the foundation for new Policy statements, with some very blatant plagiarism. It also forms the questionnaires we use with business owners and with our vendors.  
-
Yet, I still see FIs struggling with the basics. I assume the OCC felt the same way. In October 2013, the OCC issued new guidance with bulletin 2013-29, which replaced 2001-47; followed by the Federal Reserve Board, which issued Supervisory Letter 13-19 in December 2013. The regulators are attempting to provide a bit more prescriptive guidance on managing Third Party / Vendor Risk. And still, the FIs are not listening, at least that’s the perception given the recent criticism from the FDIC OIG report issued February 15, 2017 (report no. EVAL-17-004). This report is titled “Technology Service Provider Contracts with FDIC-Supervised Institutions,” which was highly critical of the contracts they reviewed. 
-
The FDIC OIG report stated there did not appear to be any evidence the FIs gave any consideration to the impact should the vendors’ services fail. Having read the report a few times now, and thinking of my own personal experiences over the last 10 years, I think the FDIC OIG got it right. 
-
Now, there are a number of readers, I have no doubt that are shaking their heads and saying things, like, “We have DR plans; we’ve tested those plans, and even ran drills with our vendors  So consideration was given, it just failed to make it into the contract.  What’s the big deal?” Others are adding to that with statements, like “If we have done the work and can show we have plans in place with our vendors, what’s it matter if it’s not in the contract?” But for the legally minded out there, we know if it is not expressly stated in the agreement, it doesn’t exist as an obligation. Worse yet, what happens when your vendor cannot or simply will not perform against those plans? Do you have a contingency plan if your vendor becomes your competition? (Look back at EarthLink, MSN and AOL; who provides your Internet access today; AT&T or Verizon?)
-
This is a large gap in our management of the vendor. If you did not fight to get the business continuity and disaster recovery plans as part of the contract obligation, why do you now believe the vendor will provide anything in the event of a disaster? Further, if it was not part of a deep conversation and due diligence exercise prior to executing the agreement, you have zero assurances the vendor will lift a finger; instead they may simply claim an Act of God (force majeure event) and disclaim any further responsibility to the contract obligations. 
-
What’s going on with your business now? The service is down-hard… Customers are calling to complain. Some are now posting hate messages on social media. A few are issuing complaints with the newly formed Consumer Federal Protection Bureau (CFPB). The boss is calling…asking WTF? The CIO and CTO are getting yelled at by the CEO. They are calling you, and you’ve called the vendor, and the vendor repeats, “there is nothing we can do.” And then they add “and there’s nothing we are required to do. Sorry.” 
---
“Well Thanks Bradley!!” you say with a large quantity of sarcasm. “I can go to bed and sleep easy now!” 
-
So where do we start?
I think we first need to understand, “What is Vendor Management?”
-
Over the last 20 years, I’ve had more than a few bosses. All of them had a different idea or philosophy regarding Vendor Management. Some were very hands on and some stayed on the periphery, scrutinizing from time to time. You know what I discovered over the last 20 years. Brilliant as all those bosses were, with just one or two exceptions, Vendor Management was a secondary role for them. 
-
If you search the Internet you might find the Gartner IT Glossary which states that “Vendor Management is a discipline that enables organizations to control costs, drive service excellence and mitigate risks to gain increased value from their vendors through the deal life cycle.”  www.gartner.com/it-glossary/vendor-management
-
It goes on with a bit of a sales pitch regarding why you want to use Gartner. There are some good things in that definition; but I’d start here… 
-
My short answer to “What is Vendor Management?” is “Vendor Management is a process!”  And I recognize this is a bit frustrating for the operationally minded; but just as Gartner’s definition implies, there is a discipline associated to Vendor Management, which one sentence; or even one paragraph cannot adequately define Vendor Management.
-
If we are going to fully understand the breadth and width of the Vendor Management Process, or Vendor Risk Management, or Contracts Management, or Vendor Relationship Management, or whatever name you want to give it, we need to set an objective. What are we trying to do as a business? We are outsourcing a service because we either do not have the skill set, or it is too costly to do it on our own. There may be some other minor nuances, but it boils down to it being more cost effective to use a vendor. So, the purpose of Vendor Management is to ensure we are receiving the full value of the services purchased from the vendor. 
-
Fantastic! We have a definition… “Vendor Management is a Process!!” and an Objective, which is to ensure we are receiving full value from the services we purchased.

 

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>