In an age of ever-increasing demands by customers for more of everything – more products, more services, more convenience – businesses often find themselves struggling to keep up with demand. Credit unions are no exception. Members increasingly demand more lending options, more sophisticated financial services, and more convenient ways of accessing and transferring funds. Credit unions continually strive to meet these demands, but at some point, it becomes apparent that assistance is needed. That’s when most credit unions make the leap to outsourcing a portion of the operations to third-party vendors.
The relief that comes from partnering with a competent, trustworthy vendor is evident. But along with that relief comes a certain amount of risk inherent in outsourcing a portion of your daily operations to an entity that operates outside your organization. How, then, does one go about balancing this risk with the benefits received?
The Risk Balancing Act
This is where a good vendor risk management (VM) program enters the picture. A robust VM process ensures that your credit union receives the assistance needed to meet member demands and grow the business, while at the same time making sure the organization is not unnecessarily exposed to the risks inherent in working with a third party. A good VM process provides a structured way to evaluate, track, and measure third-party risk and performance. It also provides a platform for mitigating adverse circumstances should they arise, and it gives you a platform by which to disseminate all this information throughout the organization. And perhaps most importantly, it helps you select the right vendor to begin with.
Creating an effective VM process requires a targeted focus on risk. Most experts agree that the best VM programs are designed to integrate with internal governance and appetite for risk. Credit unions that are considering outsourcing but are not sure how to get started may want to start with the following steps from the experts at Rochdale Paragon Group.
Determine risk appetite and risk tolerance. A strong VM process takes the credit union’s overall appetite and tolerance for risk into consideration. By understanding where the organization stands with respect to risk tolerance and risk appetite, managers are better able to search out vendors that fit within their guidelines. Risk appetite assessment surveys are useful tools for this step of the process. These assessments determine the amount of risk that management and the board are comfortable with, as well as the amount and types of risk the organization will engage in to meet strategic and financial goals. Without taking this first step to assess risk appetite, the choice of vendors is left too much to chance.
Start the RFP process. Once you’ve compiled a list of potential vendors, determine the inherent risks posed by outsourcing to the vendor to ensure the review scope addresses the applicable risks. An RFP request can then be created and sent to your top vendor candidates. The RFP will help you determine which vendors have what you need to fill the operational gaps in the organization. Vendors that are interested in doing business with you will fill out the RFP, answering questions about their products, processes, capabilities, and more. This gives you the ability to compare and contrast the competing vendors as the RFPs come back in.
Some vendors, however, attempt to short-change the RFP process, and Rochdale Paragon can help here as well. Our team can help you obtain the due diligence information you need to make an informed decision, not just the cookie-cutter information the vendor wants to provide.
Perform due diligence and a risk assessment. Once the RFPs have been gathered, you’ll want to perform due diligence on the top candidates. Check references, look for reviews from others within the industry, obtain the required information from the vendor to provide assurance, and look for publicly available information that might be used to help with the decision-making process.
You should also do a risk assessment on each potential vendor and assign a risk score. Use a scale to determine Critical, High, Medium, and Low risk associated with each potential vendor. Once all potential vendors have been assigned a risk score, rank them in the order that seems most appropriate for your organization, taking into consideration the risk scores as they relate to overall risk tolerance and risk appetite, as well as each vendor’s ability to deliver the products or services you’re lacking. Request more detailed information from any vendor with a risk score of Critical or High. It’s important to understand how these vendors operate in a crisis and what steps they take proactively to protect a partner’s assets such as member data or financial information.
Choose the vendor that best fits your needs and tolerance for risk. Once you’ve completed your due diligence, choose the vendor that can provide what you need at the lowest reasonable risk level. Ensure that all paperwork such as contracts and NDAs have been reviewed by legal counsel, then signed and countersigned before any work begins.
Engage in ongoing oversight and assessment. Once the new vendor is in place, it’s time to put processes in place for continuous monitoring and assessment. Create metrics against which to measure competency and delivery of promised products or services. Set up flags to alert you to any potential issues that may arise, and make sure you’re gathering information from everyone in the organization who interacts with the vendor on a regular basis. Compile all this information in one place that’s easily accessible to anyone who needs it, including regulators.
You’ll also need to periodically re-assess each vendor. The frequency of the re-assessment will increase as vendor criticality increases. The re-assessments involve obtaining much of the same information required in the vendor evaluation process. And again, Rochdale Paragon can help in managing vendors on an ongoing basis and ensuring the necessary information is obtained for each level of vendor risk.
Leveraging Technology
Efficiently managing a robust vendor risk management process can be facilitated through the use of modern technology. There are many software companies in existence that have software designed to help organizations with their VM processes. While many of them assist with contract management, providing notifications when it’s time for contract renewal, only one software application is sophisticated enough to help with the rest of the VM process – apogee iQ.
apogee iQ takes a risk-focused approach to vendor management. It provides credit unions with the ability to classify vendors based on the criticality of their products or services to the organization, as well as the risks inherent in an outsourced operation. apogee iQ includes vendor assessments that contain risk-based factors specific to each vendor relationship. This expedites the scoring method mentioned above by factoring in inherent and residual risks, along with mitigation efforts, to determine the total amount of risk posed by each vendor.
Rochdale Paragon Group Makes It Easy
At Rochdale Paragon Group, we’re working to help streamline the vendor risk management process for the credit union industry. We combine our own risk assessment questions with some of those included in Shared Assessments to create a more individualized approach to vendor risk management and assessment. For more information about building your credit union’s VM process, contact Rochdale Paragon Group today.