What Bank CEOs Should Tell Their Boards About Third-Party Vendor Risk

Vendor management is risky business. Smart leaders use performance scorecards to keep the board informed.

The FDIC issued a consent order against Discover Bank last year for lacking oversight into third-party risk management and a compliance vendor management program. The time is past for all financial institution leaders to heed this message, take a hard look at their vendors and highlight concerns to their boards of directors.

But with so much information being gathered within an institution, what should CEOs share?

Smart bank leaders ensure their teams create and maintain scorecards to monitor their vendors’ performance and schedule regular updates with their directors. This empowers both the institutions and their boards to stay ahead of any concerns with vendor performance.

At a minimum, vendor performance scorecards should include these categories:

• Service levels. This documents how critical and important vendors perform compared to their contractually obligated promises of system uptime, ticket response time and ticket resolution time. Many contracts are negotiated around service level agreements concerned with ticket response time when they should be looking at whether the vendor is providing bug fixes and enhancement requests in a reasonable time. The board must be informed about vendors with “black holes” in their support tickets.
• Volume​. Being a big fish in a small pond sounds great until performance problems arise. Institutions often outgrow their vendors’ ability to provide hardware to keep operations running smoothly. We hear major concerns from institutions whose anti-money laundering and fraud vendors can’t run their agents fast enough to stop the bad guys. No matter how great the technology, an institution can outgrow its solution, and the board needs to be made aware if this possibility is in danger of becoming a reality.
• Quality​. Too many financial institutions are serving as software testers. Regardless of past software quality concerns, it is never good practice for an institution to wait until a vendor has 20 clients live on a new update before upgrading. Boards should learn about vendors with repeated quality concerns.
• Milestones. This is where the institution records missed deadlines for product updates, implementations or regulatory changes. A vendor’s “say:do” ratio should be close to 1:1. No institution wants to be 100^th in the queue for rollout onto a “new” platform. Leadership should divulge to the board if it has concerns about any vendor hitting its promises.
• Reporting​. Vendors should provide required FFIEC documentation without being asked (or begged). The same goes for penetration result testing for SaaS/hosted applications and third-party model or AI validation audits. These services should be provided without cost to the institution. If they’re not, the board should be made aware of it.
• Contracts. This scorecard section details all existing contract obligations and terms that feed the institution’s strategic vendor planning decisions. Leaders should show the board a plan to address any risks uncovered including upcoming renewal dates, expected holdover fees and expected increases in contract spend.
• Communication. This scorecard section details how a vendor communicates with the institution. During outages, did it provide a summary of what is happening, what it is doing, and an expected resolution time for the issue? Does it push releases with detailed release notes? Does a relationship manager check in regularly with the institution—and not a month or two before renewal? These behaviors will either define the vendor as a true partner or reveal whether it just uses that word to sell the institution something. Be sure the board knows the score.  

Vendor performance scorecards play a critical role in helping an institution’s team decide ​which vendors to renew, renegotiate or replace. Smart CEOs know scorecards demonstrate to the board that the team is not just managing vendor risk but lowering it.  

Thanks to Josh Layne for his contributions to this article.

John Meyer is a managing director at Cornerstone Advisors. Follow John on LinkedIn.

Kelli Schulz is a principal at Cornerstone Advisors. Follow Kelli on LinkedIn.