The Vendor Management Disconnect: Why Credit Unions are Unhappy with their Vendor Management Program

Size: px

Start display at page:

Download "The Vendor Management Disconnect: Why Credit Unions are Unhappy with their Vendor Management Program"

Marjory Bridges
5 years ago
Views:

1 The Vendor Management Disconnect: Why Credit Unions are Unhappy with their Vendor Management Program Results from Abound Resources 2010 Survey: Vendor Management in Credit Unions

2 Table of Contents Executive Summary...3 Survey Results...5 How Credit Unions View Vendor Management... 5 Importance High, Satisfaction Low... 5 Biggest Challenge? Time... 6 Improving Vendor Management... 7 Vendor Management Program Components and Structure...7 What s Critical?... 7 Who s in Charge?... 8 Vendor Management for New Purchases...9 Measuring Risk and Cost... 9 Types of Due Diligence You Buy It, You Perform Due Diligence Ongoing Vendor Management Focused on Risk Types of Due Diligence Responsibility Shifts Frequency of Ongoing Due Diligence Conclusion About Abound Resources About Abound Resources Vendor Management Practice Abound s Free Resource Library

3 Executive Summary Abound Resources, in partnership with the Credit Union National Association (CUNA), surveyed credit unions about their vendor management program structure and processes, implementation challenges, and program satisfaction. The survey results confirm what we see in our credit union consulting practice: Credit unions are struggling with vendor management. Even though vendor management is considered critical to their organization, credit union executives in charge of vendor management are not very satisfied with their current vendor management program. To add insult to injury, credit union executives report that they spend too much time on an unsatisfactory program. Among our findings: While 93% of credit unions believe vendor management will be an urgent or very important priority over the next 24 months, 33% of executives in charge of vendor management are dissatisfied with their programs. Credit union executives cite lack of time as the biggest challenge in vendor management. It s no wonder: executives charged with vendor management (CFOs, COOs, CIOs and Compliance Executives) spend 27% of their time dealing with vendor management issues while other executives not directly responsible for vendor management spend an additional 11% of their time on vendor management issues, costing credit unions an average of $42,000 per year in lost time. Many credit unions do not consistently assess vendor risk and therefore do not apply the same vendor management process to all vendors. They waste time on low-risk vendors and don t spend enough time on high-risk vendors. Vendor management remains a manual, labor-intensive process, even for credit unions using vendor management software. Vendor management suffers from a lack of executive and board-level oversight since it is viewed as a compliance issue rather than an opportunity to provide value to the organization. New regulations and an increasingly complex environment with multiple vendors will only add to the amount of due diligence and ongoing monitoring that credit unions will need to perform. In other words, vendor management is not going to get any easier on its own. Credit unions must make significant changes to their programs in order to spend less time on low-value vendor management tasks yet more effectively manage vendor risks and costs. 3

4 Based on both our survey results and on our experience working with credit unions, those credit unions that report the most satisfaction with their vendor management programs employ the following best practices: They take a less-is-more approach and prioritize vendors and applications based on costs, benefits and risks at the institutional rather than the departmental level. They focus most of their time on the most critical vendors. They do not get lost in the details of tracking the status of due diligence document requests but rather they stay focused on managing vendor risk. For example, rather than spending time tracking down financial statements on low risk vendors, they use their time analyzing the financial statements of their highest risk vendors. They apply a standardized, consistent vendor management process. They rank vendors and applications using a four-tier rather than three-tier risk assessment system that allows them to more accurately stratify risk levels and minimize time spent on low risk vendors. They understand that effective vendor management goes beyond complying with regulatory guidance. While regulators focus on vendor risk management, savvy executives build a program that focuses on improving vendor benefits, minimizing vendor costs and managing vendor risk. Best practices among credit unions address all three legs of the stool (benefit, cost and risk). What is Vendor Management? For many credit unions, vendor management equates to gathering vendors SAS 70s and financials. But vendor management encompasses much more than due diligence document gathering. Abound Resources views vendor management as an ongoing process of improving the cost, benefit and risk dynamics of vendor relationships to maximize the return on your vendor investments. While the examiners focus primarily on mitigating vendor risks (and risk management is important), effective vendor management must also ensure that vendor costs are known and managed and that vendors deliver on the promised benefits and fulfill their contractual obligations. They present a concise board report that summarizes their process, highlights the cost, benefits and risks, and recommends the risk mitigation steps to take. 4

Survey Results How Credit Unions View Vendor Management Importance High, Satisfaction Low Vendor management, while important to credit unions today, will become even more important tomorrow.

either very important or urgent and will increase in importance in the next 24 months.

5 Survey Results How Credit Unions View Vendor Management Importance High, Satisfaction Low Vendor management, while important to credit unions today, will become even more important tomorrow. When asked to rank the importance of vendor management to their CEO, third-party auditor, regulatory examiner and themselves, the majority of credit union respondents say that vendor management is either very important or urgent and will increase in importance in the next 24 months. However, there s a disconnect between how credit union executives view vendor management and how successful they are in actually addressing vendor management issues. Even though they say that vendor management is important or urgent, most credit union executives in charge of vendor management are not very satisfied with their vendor management program. 5

Biggest Challenge? Time Why are so many executives in charge of vendor management unhappy with their vendor management program?

to successful vendor management is finding the time to do what is required. Said one credit union executive, We just don t have the time to keep up with this.

Credit union executives are right: they are spending too much time on vendor management.

6 Biggest Challenge? Time Why are so many executives in charge of vendor management unhappy with their vendor management program? Although they cite a wide variety of reasons for a less-than-stellar vendor management function, the majority of credit union executives report that their biggest impediment to successful vendor management is finding the time to do what is required. Said one credit union executive, We just don t have the time to keep up with this. Another lamented that the vendor management program is enormous. One respondent noted, We can t get everyone to complete their tasks. Credit union executives are right: they are spending too much time on vendor management. Those executives responsible for vendor management (CFOs, COOs, CIOs and Compliance Executives) spend more than one-quarter (27%) of their time dealing with vendor management issues. Other executives involved in vendor management report spending 11% of their time dealing with these issues. In lost time alone, vendor management costs credit unions $42,000 per year. 6

7 Improving Vendor Management Other than adding more hours to the day, credit union executives cite automation, better processes, and vendor cooperation as ways to improve vendor management. Some called for standardizing processes, such as using an assessment tool to score vendor importance and risk. One pleaded with vendors to provide a nice, neat package that s easy to access and review. Others wanted dedicated vendor management resources, whether internal or external. Vendor Management Program Components and Structure What s Critical? Technology vendors still account for the majority of vendors in credit union vendor management programs. When asked to rank a variety of technology applications, executives said that core processing is their most critical or high-risk application and CRM their least critical. Although credit union executives recognize that, for example, a core processing vendor declaring bankruptcy would have the potential to seriously disrupt their operations whereas the bankruptcy of their CRM vendor would have less of an impact, many credit unions perform the 7

same vendor management tasks on both their core and CRM vendors rather than focusing their limited time and resources on managing their most critical vendors. Who s in Charge?

8 same vendor management tasks on both their core and CRM vendors rather than focusing their limited time and resources on managing their most critical vendors. Who s in Charge? Credit unions tend to name a single executive as the primary owner of the vendor management program, with 81% naming either the IT, compliance, operations or finance and accounting executive as responsible for program results. Increasing regulatory pressure has spurred credit unions to include all vendors rather than just technology vendors in their programs. As a result, many have moved ownership of vendor management from IT to the compliance executive. However, the compliance executive is frustrated: he or she may be responsible for vendor management but program execution is spread throughout the credit union. For example, the lines of business often request vendor purchases and manage day-to-day vendor relationships. IT typically owns the relationship with hardware, network and other infrastructure vendors and has some operational responsibilities for application vendors. The CFO and/or in-house counsel often have responsibility for negotiating contracts. One of the unintended consequences of having so many departments involved is a nonstandardized vendor risk assessment. When each department performs their own vendor risk assessments, they tend to rate their vendors as more critical to the institution even though the vendor may only be critical to their department. This results in a high number of critical vendors and a growing volume of due diligence requirements. 8

9 Interestingly, credit unions with committee (IT Steering, Audit Committee, etc.) rather than individual ownership of vendor management reported higher program satisfaction which is likely due to a more holistic view of risk and better interdepartmental cooperation. We recommend that institutions with an executive in charge of vendor management still include IT Steering, Audit, Management or other designated committees in their vendor management program. Regulatory guidance clearly states that vendor management programs have board-level visibility, yet our experience is that this rarely occurs except for large purchases. If ongoing vendor monitoring results are reported to the board, they are typically buried in the IT Steering Committee minutes. CEOs are often reluctant to share the spreadsheets and due diligence documentation with the board (no board member wants to read a 40 page SAS 70 report), but a better, board-focused report that includes easy-to-understand charts with red, yellow and green risk indicators can solve this problem. Vendor Management for New Purchases Measuring Risk and Cost No organization has unlimited time or resources so it makes sense that credit unions would focus their due diligence efforts on those vendor purchases that cost the most and involve the most risk. The majority (40%) use a combination of risk and cost to determine whether or not formal due diligence makes sense. 9

Even those credit unions that assess vendor or application criticality to determine which vendor management activities to perform often group too many vendors into the high risk category.

10 Even those credit unions that assess vendor or application criticality to determine which vendor management activities to perform often group too many vendors into the high risk category. We recommend that credit unions use a four-tier approach to categorizing vendors: high risk, medium high risk, medium risk and low risk. The four-tier, rather than the typical three-tier approach, enables credit unions to lessen their vendor management burden yet still appropriately mitigate the risk of their most critical vendors and applications. The following are the results of a $170 million credit union moving from a three-tier to a fourtier approach. The decrease in the volume of due diligence documentation gathered is significant. 10

Types of Due Diligence The most common due diligence credit unions perform for critical or high-risk purchases is requesting financial statements (89%), followed by vendor reference checks (84%) and

11 Types of Due Diligence The most common due diligence credit unions perform for critical or high-risk purchases is requesting financial statements (89%), followed by vendor reference checks (84%) and requiring proof of insurance (74%). The least likely due diligence credit unions perform on these purchases is reviewing (21%) and testing the vendor s business resumption plan (9%), although 66% request to see the plan. This begs the question: Why bother to request the plan if you aren t going to review it or test it? In another case of why bother, although 89% request financials from critical or high-risk vendors, only a third (33%) actually review those financials. The culprit, once again we believe, is lack of time. Not only does requesting documents you are not going to review waste time, but also you are creating a policy exception that exposes your credit union to audit and examination scrutiny. You Buy It, You Perform Due Diligence Even though the compliance department often has ultimate responsibility for vendor management, respondents report that compliance is unlikely to be involved in the initial vendor 11

12 due diligence on new purchases. At many credit unions, the department requesting the purchase performs the due diligence. This often results in inconsistent due diligence since each department will perform due diligence differently. Ongoing Vendor Management Focused on Risk When it comes to ongoing vendor management, credit unions don t apply that same cost vs. risk process to determine the due diligence requirements as they do for new purchases. Although 40% of credit unions report that they perform initial due diligence based on cost and risk assessments, only 16% conduct ongoing vendor monitoring using the same cost/risk criteria. Almost one-quarter (23%) simply monitor all vendors on an ongoing basis. 12

13 Types of Due Diligence Likewise, the priority of due diligence documents for ongoing review is different than for initial purchase. Financial statements and proof of insurance coverage remain a high priority, but the two highest priorities for existing vendor review is reviewing the vendor s performance. We were pleasantly surprised that 89% of credit unions compare vendor performance to service level agreements (SLAs). That is significantly higher than our consulting experience would suggest, so we assume this has been a very recent focus area for examiners. Regardless of the reasons, we are pleased to see those numbers as SLA management is the single best way to hold vendors accountable after the sale. Responsibility Shifts It s interesting that responsibility for ongoing due diligence shifts to the IT and compliance departments once the purchase is complete. The compliance department is involved in only 14% of vendor due diligence for new purchases, but is responsible for one-third (33%) of ongoing monitoring. While only 14% of credit unions engage the IT department in new purchase due diligence, 27% rely on the IT department to perform ongoing due diligence. 13

14 While it can make sense in some credit unions to assign ongoing vendor management to the compliance department, credit unions must overcome the unintended consequence that vendor management becomes a compliance issue that does not receive the executive and board-level focus it needs to be successful. Also, since the compliance department naturally focuses on compliance risk, the credit union runs the risk of ignoring the other two legs of the stool; the cost and benefit aspects of vendor management. If your program sails through exams but you spend 15% more money than you need to with your vendors and achieve 20% less benefit than expected, your vendor program has failed. Frequency of Ongoing Due Diligence Most credit unions perform vendor due diligence at least once a year, with half saying that due diligence is an ongoing process. Thankfully, very few (3%) responded that they only perform vendor due diligence when the examiners or auditors are knocking on the door. 14

Conclusion Many credit union executives view vendor management as an overwhelming task that has to be done to keep the examiners and auditors at bay.

15 Conclusion Many credit union executives view vendor management as an overwhelming task that has to be done to keep the examiners and auditors at bay. And at many credit unions, vendor management has become an unwieldy, frustrating, and time-consuming process driven by compliance and audit fears. By focusing only on compliance and applying the same vendor due diligence to all vendors, credit unions are indeed spending too much time for too little benefit. Even making a few changes to the vendor management program, such as moving to a four-tier risk assessment and creating board-level vendor management reports, can reap big rewards. Vendor management done well has a direct impact on IT ROI, increases efficiencies throughout the organization, and improves the credit union s ability to offer products and services needed to provide excellent member service. 15

16 About Abound Resources Abound Resources helps credit unions grow, become more efficient and make the right technology decisions Guaranteed. Whether evaluating a core processor, improving the new account process, negotiating technology contracts, streamlining processes, or improving vendor management, Abound Resources offers both advisory services and web-based solutions that can meet most any need and budget. For more information, please contact: Deirdre Grubbs, Marketing Manager dgrubbs@aboundresources.com or About Abound Resources Vendor Management Practice Abound s vendor management practice approaches vendor decisions just like any other business decision. The right decision includes an evaluation of benefits, costs and risks. RightPath for Vendor Management, or RightPath VM, helps credit unions improve vendor performance, lower vendor costs and manage vendor risks through: Vendor Evaluations Abound provides an objective process and an independent advisor to walk your team through a comprehensive evaluation of your most critical applications including core, EFT, Internet banking, etc. Abound will get you to the right decision and will build credit union-wide consensus for the decision. Vendor Utilization Improvement Abound s diagnostic tool shows that, on average, credit unions only use about 42% of their vendor s functionality. Why pay 100% when you use only 42%? Abound will both improve utilization and lower vendor cost to dramatically improve the return on your vendor investment. Contract Negotiations 16

17 Acting on your behalf, Abound will use its experience and proprietary vendor pricing database to negotiate significant cost savings and build in more favorable terms and conditions to improve vendor performance and lower vendor risk. Conversion and Implementation Services Most credit union vendors have a proven process for converting data and training your key people. Abound will help with everything else including member communication and process improvement/parameter design to maximize the new functionality and will serve as the general contractor to keep all your vendors on track. Ongoing Vendor Management and Risk Monitoring Abound s newest service helps credit unions manage vendor risk and meet vendor management regulatory guidelines. Through its proprietary process and tools, Abound will dramatically reduce the time you spend on vendor management while providing a smart, objective, repeatable and defensible program that will meet or exceed regulatory guidelines. Its flagship product is the vmriskreport which provides an objective review and risk score (similar to a credit score) to highlight concerns and recommend mitigation strategies to lower your risk. 17

18 Abound s Free Resource Library GROWTH 5 Secrets to Successful Online Account Opening and Online Lending Is Mobile Banking, Online Lending, or Other Alternative Channels Right for Your Institution 4 Keys to Streamlining Loan Origination: Faster Turnaround Times and Lower Application Costs Tired of Giving It Away? 5 Keys to Payments Profitability Remote Deposit Capture Best Practices in Pricing and Deployment EFFICIENCY AND COST SAVINGS The Right Way to Efficiency Improvements: Improving the Bottom-line AND the Customer Experience 5 Keys to Improving Your Efficiency Ratio This Year Where to Find Technology Cost Savings Right Now (and How to Budget for 2010) 7 Tips to Negotiating Win-Win IT Contracts TECHNOLOGY Maximizing IT ROI: 6 Keys to Successful Technology Planning and Budgeting 5 Keys to Selecting The Right Core System 4 Critical Mistakes to Avoid in Core System Evaluations 7 Pitfalls to Avoid When Buying New Technology Are You Wasting 20% of Your Technology Budget? 3 Keys to Improving Core Utilization Technology Utilization: If You re Only Using 50% of Your Technology, Why Are You Paying for 100% Vendor Management Best Practices GENERAL INFORMATION I d like a proposal for your services Have someone call me An Overview of Abound Resources Gain library access at Or fax this page to: (512) resources to: 18