As Somerset Trust grew rapidly, the management team realized its vendor management system — basically a fireproof steel cabinet and several Excel spreadsheets — would no longer do.
Over five years, the Pennsylvania bank's assets increased by half, to $990 million as of last Sept. 30. Naturally, the number of vendors it works with has increased as well, to more than 100. And the tough vendor risk management guidelines the Federal Financial Institutions Examination Council came out with in 2014 added further requirements.
"We were much more reactive to things than proactive," said John Gill, Somerset's chief operating officer. "We weren't effectively managing those relationships moving forward. We saw a chance to step back and build a meaningful process and an application we could use to create a discipline for the whole organization."
-
Banks have received updated guidance on managing vendors deemed "critical" to their business. Deciding which third parties fit the bill is the first step to meeting the new rules.
May 27 -
Banks that misinterpret regulatory guidance on vendor risk management can wind up shortchanging themselves and stifling industry innovation, according to consultant Paul Schaus.
August 28 -
Bankers need to show they are in control of relationships with outside vendors, must be ready to respond to M&A-related protests and should be as concerned about economic growth as interest rates, according to the St. Louis Fed's supervisory chief.
September 30
The bank first looked for packaged vendor management software that would help people throughout the bank document their due diligence efforts in selecting new vendors, and update and manage vendor contracts and relationships.
After sending out a request for proposals, Gill and his team looked at five off-the-shelf vendor management systems, but none quite suited the bank.
"Every vendor management system we saw a demo of was either overkill from the standpoint that it was difficult to input all the information they were going to try to monitor, or it was not adequate in meeting, for instance,
So the bank tasked an in-house programmer with building the application (in CodeFusion, a platform for rapid development of Web apps). An intern helped scan and load all the existing vendor documentation into the system.
The system stores and organizes documents related to due diligence, disaster recovery, SSAE 16 reviews, privacy information, annual reviews, financial analysis, contract details, business impact analysis and insurance. It stores meeting minutes and links to pertinent information regarding guidelines and industry standard practices. A dashboard shows the status of the vendor relationship, including any deadlines for contract renewals or disaster recovery tests. Email reminders are also sent for such items. An audit trail shows all actions taken by business owners as they maintain their respective files.
Now when Somerset Trust selects a new vendor, the banker who made the decision goes into the vendor management console to answer several questions about the company, such as, "Is this a critical vendor?" The software provides definitions for these and other terms. Based on the answers, the system determines any extra due diligence steps, insurance coverage or business impact analysis that might be required.
The bank figures the new software has brought about a 25% reduction in labor. Vendor meetings are more productive, the new vendor entry process is streamlined, data collection forms have been standardized, and tracking and monitoring are improved. Preparing for vendor meetings is easier and less time is needed to manage third-party relationships. Somerset Trust executives also say that by having internal programmers develop this technology, the bank saved five figures during implementation and thousands in monthly ongoing fees.
Would Somerset sell this tool to other banks? "We go back and forth on that," Gill said.
