Integration of procurement and vendor risk management to manage risk prior to onboarding

Integration of procurement and vendor risk management to manage risk prior to onboarding

By Mick Kless, President and CEO, Compliance Education Institute

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

Sure. I’ve been in financial services for 38 years and have been on both sides of the table (buy/sell). That experience provides a unique perspective when it comes to understanding what keeps people up at night and providing solutions that help them sleep better and drive business value. There’s nothing like field experience when it comes to transitioning to being a vendor.

Currently, I’m the CEO of Compliance Education Institute (founded 2013) where we focus on three key business pillars of 3rdparty risk management:

  • Education – 3rdParty Risk Management certification and training (#1 in the industry)
  • Solutions – Third Party Toolbox (3PT) automated vendor management solution
  • Advisory Services – Strategic and tactical approach to assessing, designing, building, implementing and managing a third party risk management program
What, for you, are the benefits of attending a conference like Vendor & Third Party Risk USA 2019 and what can attendees expect to learn from your session?

As this is the 3rdyear in a row attending this conference, I come here to learn about the challenges that the industry faces and how they approach and deal with them. Since each of us have many of the same regulatory issues to address but very different environments we’re immersed in inclusive of staff, experience, technology, markets addressed, services offered, global/local footprint, etc., this conference is a great learning experience for everyone. Sharing those experiences during the various sessions over the two days is a great way to learn and to bring ideas back and adapt them in order to address our similar issues.
In my particular session, I’m going to communicate how I see Vendor Management meld with Procurement in order to address pre-onboarding (planning & due diligence process) in a way that takes the best track to mitigate risk and be operationally cost-efficient. Utilizing the concept of GRC applied to 3rdparty risk management provides an outstanding framework in which to integrate planning, lines of defense, roles and responsibilities, and workflow to mitigate risk in a cost efficient way, stay on track to achieve strategic objectives and drive business value from the program.

What, for you, would be optimal for successful integration of procurement and vendor risk?

Without a common goal (stakeholder buy-in) and Governance (top-down endorsement and enforcement), successful integration of Procurement and Vendor Risk cannot be achieved. In addition, we have to be realistic and understand that a reporting structure is essential and independent kingdoms will not work without transparent cooperation between the two. Procurement has traditionally reported to the CFO and Vendor Management has traditionally reported to Operational Risk or Enterprise Risk. Optimally, I would like to see a combined 3rd Party Risk Office that combines both functions and that reports to both Risk and the CFO. I would implement it in a way where it follows Question #5 so that roles and responsibilities are defined, workflow is established and silos become collaborative environments.

What are the key considerations that need to be made when defining roles across the financial institution?

When integrating vendor management and procurement, we have to consider have an effective operating model composed of people, process and technology. In considering the People component (lines of defense) when defining roles and responsibilities, we need to understand the following:
Vendor Population: categories (types) of vendors and number of significantvendors (business critical, enterprise critical)
Time Requirement: how much time is required to manage a category as well as a single significant vendor. This is often grossly underestimated.
Experience: What level of experience does staff require to manage categories and vendors?
Expertise:What technical or domain expertise is required in a supporting role (SME) for the first line as well as for 2ndline vendor governance?
Staff Requirement: Do we even have a sufficient number of resources to manage the program and vendor population. When a program is understaffed, proper monitoring becomes inadequate and exposes the institution to risk.
Shared Services: Understanding that the LOB (risk owner) cannot effectively do its job and collect due diligence and run RFP’s and manage contracts (SLA’s/KPI’s) and conduct periodic reviews, do we need to carve out an organization to assist with or even take over the relationship management post-contract?
Reporting Structure: sometimes the most difficult component is the reporting structure. Who reports to who? Is there a reporting matrix? Are there dotted lines?

How can institutions structure internally to ensure collaboration across the cycle to manage risks prior to onboarding?

Procurement has traditionally excelled at obtaining best price (budget control), managing the RFP/RFI/RFQ process, negotiating contracts and mitigating financial risk. Vendor Management has traditionally excelled identifying, measuring, monitoring and controlling the risks associated with outsourcing. Marrying the two processes that have been disparate functions depends on the following:
1)   Identify a need
2)   Present a business justification
3)   Once approved by the LOB, send it to a Point of Entryagreed upon by Procurement and Vendor Management

Point of Entry (Liaison between Procurement & Vendor Management or could be a function of one or the other)
1)   Determine whether it is a Service or a Commodity
2)   Determine whether it already exists and  whether there’s a Preferred Vendor list
3)   If a Service, it is sent through the traditional Vendor Management process prior to contracting, however:
4)   If a Commodity, it follows the traditional Procurement route
5)   If a Service, the Approved Business Case goes to committee where Outsource Planning takes place and the following are considered:

A.     Inherent Risks
B.     Strategic Purpose
C.     Complexity of the Arrangement
D.     Cost/Benefit Analysis
E.     Impact on Other Projects, staff, customers, budget, other vendors
F.     Information Security Implications
G.     Specific regulatory issues
H.     Compliance with the institution’s policy
I.     Selection, assessment and oversight a third party (see step 6 below)
J.     Exit Strategy

6)   If it’s determined from Step I. above that RFI/RFP/RFP is required then Procurement is engaged
7)   Once Due Diligence is completed, Procurement is engaged for the contract negotiation and review process

How do you see the management of vendor and third party risk evolving over the next 6-12 months?

As we’ve already seen during the past 12-18 months, Line 1B(review and challenge) will continue to be carved out as a check and balance to ensure the adequacy and effectiveness of 1stLine functions during the due diligence process. I also expect to see Shared Services continue to evolve in larger institutions whereby a “Performance Group” or “3rdParty Governance Group” or “Vendor Liaison” takes over the relationship post-contract to manage the contractual commitments (SLA’s), Performance (KPI’s), Risks (KRI’s) and Value and works with the LOB who manages the business issues.

vendor & third party risk usa series