Lessons In Vendor Management

In this Q&A, Cheryl Turner, contracts administrator at BCU, discusses how the credit union manages its vendor relationships — from how the credit union reviews vendors to best practices she’s gleaned during her time with BCU.

 
 

There are pros and cons to outsourcing. On the one hand, outsourcing frees up credit union employees to accomplish other tasks. On the other hand, managing third-party relationships requires diligent oversight on the part of the credit union.

Cheryl Turner, contracts administrator at BCU ($2.2B, Vernon Hills, IL) knows this well. Turner started as a paralegal at the credit union nearly a decade ago — after 10 years in sales and marketing — and split her time negotiating and administering contracts for the audit and facilities and procurement departments.

Her position soon evolved into a comprehensive vendor management role that encompasses responsibilities such as drafting request for proposals (RFP) and performing due diligence and annual reviews.

Turner played a key role in drafting and implementing the credit union’s vendor management policy, and in this Q&A, she discusses how BCU manages its vendor relationships — from how the credit union reviews vendors to best practices she’s gleaned in her time with BCU.

How does BCU manage its vendor relationships?

Rod Flowers
Cheryl Turner, Contracts Administrator, BCU

Cheryl Turner: BCU’s vendor management process is a multi-tiered approach that begins with assessing business needs and requirements. We complete an initial risk assessment ideally on at least three competing vendors. Once we’ve completed the internal risk assessment, the due diligence phase begins. Upon completion of the due diligence phase, BCU decides which vendor or vendor(s) to enter into formal contract negotiations. Upon execution of the formal contract, we designate a business relationship owner who is responsible for day-to-day service provider oversight throughout the duration of the relationship.

When do you use this process?

CT: We use the third-party vendor selection and due diligence process whenever the following events occur:

  • An internally executed or new business process is considered for outsourcing.
  • An existing business process that is outsourced is considered for a different outsourcer.
  • An existing business process is experiencing an overhaul and the existing service provider is at a risk for not being able to maintain or meet the new business requirements.

Why is this process important?

CT: These vendor management procedures build healthy relationships with our third-party service providers while maintaining compliance with FFIEC regulatory guidelines.

CU QUICK FACTS

bcu
Data as of 06.30.15
  • HQ: Vernon Hills, IL
  • ASSETS: $2.2B
  • MEMBERS: 199,611
  • BRANCHES: 40
  • 12-MO SHARE GROWTH: 9.75%
  • 12-MO LOAN GROWTH: 10.88%
  • ROA: 1.3%

How many vendor relationships does the credit union currently manage?

CT: This year’s annual review consisted of 118 third-party service providers.

How does BCU review new vendors and stay up-to-date with established ones?

CT: All third-party service providers go through an internal risk assessment prior to BCU onboarding new vendors or engaging the services of existing vendors in new service areas. The results of the risk assessment determine the level of due diligence required prior to contract negotiation.

I also maintain a database of all contracts, renewal, and expiration dates and communicate all active contracts to the BCU business relationship owners on a quarterly basis. Vendors that meet pre-established criteria are subject to annual reviews as well. The scope and depth of the due diligence, if applicable, is directly related to the criticality and magnitude of BCU's relationship with the third party and the service provided.  

What compels you to review vendors or search for new ones?

CT: BCU is constantly looking to add value for our members. We seek out new third-party service providers when we want to enhance or expand product offerings. BCU has had many long-standing relationships with our existing third-party providers, some in excess of 15 to 20 years. We view our third-party service providers as “valued enablers” in achieving BCU’s goals and objectives. 

What do you look for in new vendors? Why?

CT: The nature of the business relationship determines the specific considerations and depth of due diligence when onboarding new service providers. For example, during the RFP process we identify whether a technology service provider will have access to confidential information and vet them through BCU senior management.

Prior to the contract negotiation phase, BCU assembles a cross-functional team to perform a due diligence review of the third-party service provider, examining areas such as the service provider’s financial stability, industry and management experience, reputation, technology and systems architecture, internal controls environment, and business continuity planning/disaster recovery.

How has the vendor marketplace changed in the past 10 years?

CT: When I started at BCU in 2006, the marketplace for vendor management software didn’t exist or was limited in its functionality. BCU began using Viclarity in first quarter 2015 for enterprise risk management and vendor management. This automation software has increased my productivity by more than 50%.

A big challenge to BCU’s vendor management process was how to seamlessly integrate each piece in the review process. 

What are the pros and cons of using risk and compliance management software as opposed to managing these systems manually?

CT: Our annual service provider review process had been laborious due the use of various non-integrated tracking tools. Viclarity SAAS has enabled me to automate repetitive tasks and generate custom questionnaires to identify and manage our risk exposure. 

Also, prior to onboarding a new third-party service provider or anytime BCU adds services with an existing vendor, multiple individuals might need to be involved in the review process. A big challenge to BCU’s vendor management process was how to seamlessly integrate each piece in the review process. Viclarity solved that by providing robust reporting capabilities that allow me to share information and results on demand. In addition, the Viclarity SAAS provides a collaborative workspace that allows for the easy delegation of tasks with a shared repository and audit trails.

What is your No. 1 best practice in vendor management?

CT: Communication is the key component. Recognizing and documenting issues as well as maintaining a clear line of communication is essential. When a third-party service provider is not meeting BCU’s expectations, the BCU business owner initiates a conversation with the service provider to remedy the situation.

 

 

 

Aug. 31, 2015


Comments

 
 
 

No comments have been posted yet. Be the first one.