Community bankers are a self sufficient bunch. Most people who work in smaller banks are experts in more than one area out of necessity and that makes life more interesting and offers a comprehensive view of what is going on all over the bank. As skilled as bankers may be at doing multiple things, compressed margins and ever-changing regulatory environment has pushed more banks to seek outside resources and therefore, outside vendors to get some tasks off their plate.
To do so, regulators require every bank to have a due diligence policy in place to ensure outside vendors meet certain standards. The policy should be in line with the sophistication level of the bank and the complexity of the processes the bank plans to hand off to outside vendors. Vendors that support critical systems require more rigorous testing than those that do not.
If your bank is considering outsourcing some processes, it might be a good time to review your vendor risk assessment policy to make sure it is updated. To begin, assess the importance of each service a vendor performs and how dependent the bank is for basic functions. Ask whether the bank's reliance upon this vendor presents business, financial, operational, reputational or regulatory risk. Consider whether the vendor will have access to confidential customer data and think about whether the vendor performs a critical business function. In short, the more reliant the bank is upon the vendor to carry out its day to day functions, or the higher the level of access to confidential data, then the greater need for care is required.
A typical way to approach vendor due diligence is to assign numbers or colors that signify high, medium or low risk. The bank's core provider for example is much more likely to create a security problem than the janitorial service in most cases, so it likely warrants a higher risk score. How a vendor mitigates that risk should also be quantified. The net result between inherent risk scores and mitigating factors should then give you a good idea of the level of risk associated with a particular vendor. By using a scoring system, your bank can focus energy on the vendors that have the highest net scores as you seek to mitigate the risk or conduct additional due diligence. It is a good practice to regularly review all vendors and document/quantify any changes in their risk profile.
There are a number of modules and templates available to assist in assessing vendors, but a written analysis or even Excel will also work. There are also full service outsourced vendor management solutions if your complexity increases or you find yourself outsourcing more significant jobs. Ultimately, the bank is held responsible by the regulators to understand the results from any assessment, which vendors they use, how risky each one is and the mitigating factors that might offset, so make sure your process can be explained in detail.
By putting a few safeguards in place, outsourcing can be a good way to free up bank staff to do more important things or bring in additional expertise to help in given areas. It can also be egg-xactly what is needed to free up resources to capture more customers and boost performance.