Internal credit union fraud, for example custodial theft, can offer the affected credit union lessons in security practices and procedures. What it also provides, says Wayne Hood, senior vice president and chief legal officer at ORNL Federal Credit Union ($1.6B, Oak Ridge, TN), is a lesson in vendor management; specifically in how to balance risk and responsibility.
“If you wanted to steal confidential member information, what better way than the cleaning crew who has virtually unlimited access to the organization, often when there’s little to no supervision,” he says. “It becomes important to not only vet those people but also have contract terms about where the responsibility is if there is breach or misconduct by that vendor’s employees.”
CU QUICK FACTS
ornl federal Credit Union
data as of 12.31.15
HQ: Oak Ridge, TN
12-MO SHARE GROWTH: 5.74%
12-MO LOAN GROWTH: 8.64%
To satisfy both contractual risk and management responsibility, ORNL has bolstered its vendor management system, which oversees 212 contracts from core processing to janitorial services. The Tennessee credit union partnered with software provider InContract in early 2013 and designed a hybrid solution that centralizes all contracts through ORNL’s legal department after individual departments sign off. In effect, ORNL has taken a hybrid approach to vendor management.
A Hybrid Approach To Vendor Management
Hood joined the credit union in late 2012. At the time, ORNL’s vendor management process was manual and inefficient. Its current automated process now offers better control over record keeping and contract management.
I don't know what my marketing department wants in a vendor or what facilities needs out of a vendor. ... The logical thing was to split the control.
Hood says the software provides a framework for assessing risk and rating vendors and takes the burden off employees to keep up with critical documents such as the SSAE 16 — a regulation for redefining and updating how service companies report on compliance controls — and more general financial statements. The system prompts the credit union’s compliance officer when a contract is missing items and when contracts are coming up for auto renewal.
“It’s helped us be more diligent about making sure things don’t fall through the cracks,” Hood says. “That helps us show the examiners that we are, in fact, conducting due diligence and risk assessments on our vendors.”
3 Lessons In Vendor Management
Create A Thorough Process:
If a contract is going to impact ORNL's IT systems, it has to go through the IT department. Then it goes through a legal review. Once it passes those, it goes to executive management, who has the final sign-off.
Understand Departmental Strengths And Weaknesses:
ORNL's legal team points out risk and recommends language. Then, it work together as a team with different department to find the right balance of vendor performance and organizational risk.
Leave The Performance Review To The Impacted Departments:
Service standards fall into the hands of ORNL's business leaders, who meet directly with vendors when service standards are not met.
But implementing the system was just the first step.
ORNL’s legal department created a contract review sheet that provides a snapshot of the contract terms and requires the business leaders to take more responsibility for digging deeper into potential contractual issues before signing off. For the second step, ORNL added discipline to its contract review and negotiation process. In the past, the credit union allowed business leaders to negotiate vendor contracts independently. If they approved the contract terms within a certain dollar limit — and that limit was within the credit union’s budget — they could unilaterally execute the contract.
“Are there satisfactory performance standards?” Hood asks. “What are they? Do they have insurance? Do they have a disaster recovery plan?”
After the business leader approves the contract, the relevant department as well as the legal department must review it. Only then does the executive management team receive it for the final sign-off. It’s a process that favors including all parties affected by the vendor relationship rather than centralizing all decision-making with the legal department.
“I don’t know what my marketing department wants in a vendor or what facilities needs out of a vendor,” Hood says. “They know much better than I do, and the logical thing was to split the control. So you tell us you’re happy with the vendor and then we’ll tell you if there are any legal issues that need to be flagged.”
Balancing Risk, Service, And The Future Of Vendor Management
Today, ORNL’s vendor management program controls, minimizes, and mitigates risk. It also tells the credit union when contract terms are nearly complete. However, it doesn’t identify the best contracts, which can expose the credit union to several risks, chief among them is legacy agreements.
“Are there terms out there that could pop up and hurt us?” Hood asks.
He points to patent trolls as one example. Simply put, a patent troll enforces patent rights through legal means in an attempt to collect licensing fees, but does not offer products or services based upon the patents in question. It’s common, Hood says, for credit unions to assume the risk, and legal defense, for patent trolls in the vendor contract. Now, the credit union will renegotiate or terminate such agreements.
“I don’t want to spend our money on legal defense just because we didn’t pay attention to the contract terms and [didn’t] realize that was a responsibility we were assuming,” he says.
Beyond the financials, ORNL’s vendor management has the potential to affect member service as well. When ORNL enters into a vendor relationship, it looks for legal agreements that clarify the service expectations of the provider and allow the credit union to terminate the agreement if the vendor does not meet those expectations.
But as vendor management continues to take greater importance at ORNL, Hood is dreaming larger. He wants to hire a full-time vendor management employee and create a more proactive management system.
“There’s something to be said for a vendor you know and are happy with,” he says. “But we owe it to our members and we owe it to our organization to see if there is somebody who can do this better.”