V E N D O R M A N A G E M E N T P R O F I L E S E R I E S A Wh it e Pap e r by Ve n d or I NS I G HT an d C MPG, L L C Growing Vendor Management as a Sustainable Business Process with Automated Vendor Management Systems November 1, 2013 C O P Y R I G H T 2 0 1 3 B Y V E N D O R I N S I G H T A N D C M P G, L L C. A L L R I G H T S R E S E RV E D.
Vendor Management Evolved Boundaries and Origins Vendor management, by its nature, is a broad-ranging business process that crosses many organizational boundaries, including Sourcing, Procurement, Risk and Compliance, IT, Information Security, Disaster Recovery Planning, Finance, and Accounting, Retail and Operations groups. In addition to requiring the collaborative participation of these groups, a company s successful vendor management program must facilitate many business needs. These include: Vendor research and selection Vendor evaluation and due diligence activities Contract development, monitoring and alerting Multi-dimensional risk assessment (financial, legal, information security, fraud, technology, etc.) Performance measurement and SLA (service level agreement) monitoring Market news monitoring Financial health monitoring SSAE16 review and monitoring Business risk and business trend monitoring The development of vendor management into the multifaceted business process it is today was enabled by the maturity of sourcing as a strategic business discipline. Sourcing taught organizations to control costs and set expectations for vendor performance on the front end of the relationship - during the vendor selection process. Vendor management evolved by necessity because of the need to monitor contracts, track service level agreements, and ensure that the services and performance that were negotiated were being realized. Vendor management embodies the closed-loop side of the traditional plan-execute-measure-control model, where sourcing constitutes the planning and execution phases, and vendor management embodies the measurement and control phases. Because so much of the risk borne by a company can be evaluated from information that is typically revealed concurrently with vendor evaluation, selection and contracting activities, vendor management naturally extends upstream into the stages of sourcing where this information first becomes available. So, in essence, vendor management - especially its risk components - has engulfed the traditional sourcing model which was previously cost-focused, in the interest of ensuring improved risk management, reliability and performance. The Three Primary Objectives of Vendor Management A reliable vendor management program is built around features that help manage three domains related to the vast array of vendors and third parties who are contracted to provide services, management data, products, software, hardware, or the outsourcing of critical business functions. These domains are Relationship, Risk and Performance. Interdependent, they provide essential information, data, and analysis that is essential to management s understanding of the importance, reliability and strength of the vendors and third parties the company relies on. In highly regulated industries like financial services or healthcare, these three domains also represent the primary 1
concerns of regulators, auditors and examiners, at the federal and state level, as they enact guidance and laws and evaluate an organization s operational risk and enterprise risk management program. Financial institutions increasingly rely on third parties for the creation, delivery and maintenance of products and customer relationships. All of these critical vendor relationships bear the burden of standing up under the daily pressure of a dynamic and changing business and technology environment, and they must successfully avoid harming the financial stability, profitability, or customers of the financial institution that relies on them. As the industry has matured and as new risks emerge from evolving B2B behavior that increasingly relies on social media, unique outsourcing arrangements, and leveraged supply chain relationships, the regulators have responded with new guidance and laws aimed at mitigating these risks. In fact, it can be argued that the new guidance imposes managerial oversight and mandates specific process design for companies as they carry out the business of vendor and third party risk management. In 2013 alone, three new updated regulatory guidance documents were published that relate to the financial services industry. These include: FFIEC Guidance on Social Media (January 2013); FDIC Compliance Manual, Abusive Practices - Third Party Procedures (July 2013); OCC New Guidance for Third Party Risks (October 2013) In late 2013, company internal audits and regulatory examination findings increasingly reflect the new standards. Companies and industries struggle to keep up as they continually work at developing their vendor management programs into more formal, consistent and efficacious business processes that provide a competitive advantage while satisfying regulators and enterprise risk management objectives. Relationship. Risk. Performance. Effective Risk Management and Sustainably Consistent Business Practices are Enabled by Automated Vendor Management Systems. Relationship - Knowing all of your vendors, how many there are, what services they provide and which ones are most important is similar to understanding and classifying the many species and the working ecology of a forest. Risk - Examining vendors in detail to evaluate their information security strength, financial strength or health is much like a forensics analysis. It requires specialized knowledge and the tools to do the job efficiently. Performance - Measuring your vendors and their performance, adherence to SLAs and other key metrics is important to ensure your organization will perform at its highest level and grow without disruption. 2
The Six Common Plagues of Vendor Management Business Problems Drive the Need for Vendor Management Automation Today, vendor management activities at most companies are directed, or at least heavily influenced, by a department of Risk Management and Compliance. The responsibilities for maintaining and organizing vendor information falls on an often small group of dedicated personnel who, through the management mechanisms of policy design, oversight, subject matter expertise, and reporting and accountability, attempt to ensure that vendor management procedures are carried out diligently, timely, and in a consistent and formal manner across the enterprise. Seven business problems are common to nearly every organization. These business problems expose financial institutions and other companies alike to significant cost risk, regulatory risk, and strategic business risk: 1. There is not enough time or manpower resources available to be able to properly carry out vendor management activities that range from extensive due diligence to contracting to monitoring and performance management. 2. Performance and SLA monitoring of vendors - a critical component of the business value received from a vendor - is inconsistent at best and must be performed manually. 3. There is currently no standard or consistently-applied risk rating methodology that can easily be applied to ALL vendor relationships. This results in inconsistency among the vendor records and documentation. 4. There is insufficient visibility into the contractual obligations of the company, including key notice dates, automatic renewal dates and options within the contracts with mission critical and high value service providers and third parties. Additionally, it is difficult and time-consuming to locate key contracts with service providers when they are needed for planning or strategic projects. 5. An extensive manual effort is required to maintain and manage the vast array of information that is essential and pertinent to the proper governance of vendor and third party relationships. 6. Managers and employees who interface with suppliers and who own the business processes the suppliers support, do not prioritize vendor management and are not held accountable by management for the timely and proper completion of their assigned tasks and activities within the vendor management process. Each of these business problems can be alleviated by an automated vendor management system that enables better access to information, a centralized repository of vendor information, a consistent methodology for vendor assessments, and improved workflow with enhanced visibility, reporting, oversight and control. 3
ROI and Cost-Benefit Analysis for an Automated Vendor Management System Assumptions The following analysis is based on vendor management metrics that are specific to and that have been developed by UBSI, including compensation and expense numbers. Metrics, where utilized, have been validated with industry research. The data utilized in the ROI analysis has been selected to present a conservative ROI calculation in order to mitigate any inherent risk in the assumptions. Number of Expected Vendor Contracts Managed: 400! Average Annual Contract Value: $85,000 Average Contract Length (Frequency of Renewal): 3 Years! Percentage of Contracts Renewing that Require RFP/Negotiation: 20% Frequency of Audit or Examination: 12 Months!! Cost of Outside Legal Counsel: $250/hr.!! Total Compensation (Salary and Benefits):! Program Administrator: $62,000! Clerical/Administration: $ 45,000 Classification and Quantification of Benefits Fortunately, vendor management is not just an added cost and resources burden to an organization, rather, it brings with it significant and tangible business benefits and savings. The companies that maintain a formal vendor management program learn quickly that getting real business benefits and achieving regulatory compliance and risk management go hand-in-hand. A strong vendor management program delivers benefits across three dimensions: Activity and Productivity Benefits - Enables easier, faster completion of required tasks and activities like vendor risk assessments, performance reviews, or RFPs and results in improved resource utilization, improved productivity and lower personnel costs. Business Benefits - Improves the visibility and reliability of management information that is needed to make strategic and daily business decisions like whether to renew a contract, when to terminate a vendor relationship, or when a critical vendor decision may be needed. Compliance and Risk Benefits - Ensures that your policies and procedures, and the federal and state laws they are designed to comply with, are consistently and formally met. Meeting the regulatory and compliance requirements requires better organization of data and vendor information which is equally useful for business strategy, planning and execution, including cost control, budgeting and legal risk mitigation. Clearly, the business benefits of a vendor management system alone easily justify the expense of an automated vendor management system, even in the absence of essential risk and compliance benefits. Results The ROI analysis shows that a vendor management system will easily provide annual benefits that exceed the cost of the system, including setup and training. The Internal Rate of Return (IRR) exceeds 700% with quantifiable financial benefits plus reduced enterprise risk levels accompanied by a significantly improved risk management position. 4
Type Benefit COST- BENEFIT ANALYSIS FOR AUTOMATED VENDOR MANAGEMENT SYSTEM A - Activity and Productivity Savings Annual Savings A PRODUCTIVITY / Personnel Savings - Vendor Management Due Dilgence and Compliance Task Automation $ 124,000 A PRODUCTIVITY / Personnel Savings - Contract Ownership, Management and Vendor Monitoring $ 42,408 A PRODUCTIVITY / Personnel Savings - Document Review and Data Entry $ 18,000 A PRODUCTIVITY / Personnel Savings - Sourcing and RFP Administration and Management $ 12,000 A PRODUCTIVITY / Personnel Savings - Finance, Information Security/IT, and RIsk Management Administration $ 4,133 A PRODUCTIVITY / Personnel Savings - Risk and Compliance / Examinations and Audit Preparation and Response $ 1,240 B - Business (Non- Interest Expense) Savings NONINTEREST EXPENSE REDUCTION - REDUCED STAFFING REQUIREMENT / B Personnel Savings from Program Administration Included with Software $ 62,000 B NONINTEREST EXPENSE REDUCTION / Contract Pricing and Price Increase Avoidance $ 51,000 B NONINTEREST EXPENSE REDUCTION / Legal Review by Outside Counsel $ 33,333 B NONINTEREST EXPENSE REDUCTION / Contract Renewals, Strategic Visibility and Cost Avoidance $ 25,500 B NONINTEREST EXPENSE REDUCTION / Paper and Printing Cost Savings $ 9,000 B NONINTEREST EXPENSE REDUCTION - Regulatory Awareness & Program Upkeep $ 8,125 C - Compliance Requirements (Non- Quantified / Partial List) C Compliance with Differentiated Monitoring and Management Control Requirements for High/Medium/Low Risk Vendors Requirement Compliance with Newest RegulatoryRequirements: FFIEC Social Media Monitoring (January 2013), FDIC Abusive Practices C and CFPB Consumer Compaints (July 2013), and OCC Revised Third Party Management Guidance (October 2013) Requirement Assessment of the "Criticality" or Vendor Relationship to Determine Appropriate Level of Due Diligence and Risk C Assessment Requirement C Identification of Vendors with Poor or Downward Trendng Performance or Risk Profiles Requirement C Proactive Monitoring and Alerting of Key Contract Notice Dates, Cost Increases, Planning Horizons and SLAs Requirement C Automatic OFACand CFPB Customer Complaint Database Checking of All New Vendors Requirement C Maintenance and Archive of Vendor Selection Decision Documentation Requirement Monitoring/Enforcement of Roles and Responsibilities for Vendor Management Policy and Procedures (Including C Requirement Training) C Consistency in Maintaining Policy Compliance Visibility Across All Vendor Management Records Requirement TOTAL ANNUAL SAVINGS $ 390,740 Vendor Management Automated System One- Time Setup Cost: $ Vendor Management Automated System Annual Recurring Cost: $ 20,000 40,000 IRR (INTERNAL RATE OF RETURN) 718%
Conclusions and Recommendations The Case for Automated Vendor Management Systems Automated vendor management systems, especially the class-leading solutions offered by reliable, established companies like VendorINSIGHT, can be easily and quickly deployed in less than 30 to 45 days. They utilize cloudbased strategies to minimize costs and employ the latest technologies. The solutions are easy to use, reliable, and cost-effective. With one-time initial setup costs that average less than $20,000 and recurring annual costs frequently less than $40,000, these solutions cost less than a single employee, deliver benefits and productivity improvements equivalent to several employees and provide an internal rate of return of more than 700%. Moreover, they provide a scalable platform to more fully develop a vendor management program over time as companies grow or expand, as new vendor management best practices evolve, or as new requirements are imposed by regulatory bodies. Without a leading automated vendor management program in place to provide the controls needed to ensure consistency and proper execution of vendor management policies and good practices, a company is unnecessarily exposed to excessive legal risk, financial risk, performance risk, information security risk, business continuity risk, customer risk and repetitional risk. When the analysis shows a strong hard-dollar financial return, an inherentlyunderstood promise of reduced risk and improved compliance, with improved productivity and better management information and reporting, utilizing an automated vendor management system just makes good business sense. Grant Karnes is the Executive Director of VendorINSIGHT and the lead vendor management implementation consultant for CMPG, LLC. For more details or to discuss VendorINSIGHT as a solution for your business, contact a VendorINSIGHT representative at www.vendorinsight.com or 1-800-997-2674. 2013 by VendorINSIGHT and CMPG, LLC. 5