Digital Marketing Manager
CHICAGO, IL - The use of third parties has indeed helped financial institutions to grow revenues, cut costs, and improve the customer experience. However, these proven upsides have come with equally apparent downsides: more frequent operational setbacks such as major service interruptions, mishandling of customer or employee data, and non-compliance with laws and regulations. With the right approach to managing risk, firms can turn third parties into strategic assets.
Mary Kay Merkt, SVP, Director, Vendor Management & Procurement at Johnson Bank, recently shared with marcus evans how to build healthy vendor partnerships through thorough contract management processes and data management systems:
How do due diligence standards and vendor outsourcing go hand-in-hand?
MKM: When an institution decides to outsource a service(s) to a third-party, it is their established due diligence standards that guide and monitor the oversight of that vendor relationship. The monitoring of categories such as risk assessments, business continuity plans, SOC reports, financial status, and etc. are key to measuring the inherent risk of the vendor relationship. This is the foundation for establishing controls to reduce risk and anticipate potential risks in the future.
What types of analytical methodologies are available to aid in the evaluation of third parties?
MKM: There are a number of analytical methodologies to aid in the evaluation of third parties. One of the most important processes performed in financial institutions is the evaluation, selection and continual measurement of vendors. Some institutions use the AHP or a hybrid version to calculate overall scores.
For example, these methods can be used with a variety of components of the vendor management program:
Why is a bank's data storage model important to its defense against outside threats?
MKM: Whether the data storage is housed internally or outsourced, knowing the specifics of your data storage model provides the institution a key advantage to managing and anticipating potential risks. As the saying goes… "Know What You Don't Know!" is important to successful management of vendor relationships and protection against threats outside or inside the institution. To mitigate threats, you must be aware of the impact and probability of risks to reduce or eliminate them. Many institutions have a good handle on external risks because they have implemented disaster recovery (DR), business continuance and security measures to protect their data and applications.
How can a balanced risk sharing approach with the third party strengthen the first line of defense?
MKM: No matter how effective institutions are at managing third parties, there is no way to outsource the risk that comes with this decision. Ultimately, institutions are responsible for the impact on their reputation, financial viability and customers. Most institutions have mature controls and approaches that help lock down IT and security risks. They should apply the same consistency and discipline to managing the risks that come with their vendor relationships. The first line of defense can be strengthened by driving a balanced risk sharing approach with their third parties. This is illustrated by building regularly scheduled business reviews into the contract during the negotiation phase, reviewing the SSAE16 / SOC Reports for exceptions and accessing internal controls.
How do you plan for potential regulatory and business updates when creating a contract with a vendor?
MKM: To plan for potential regulatory and business updates related to contract management, we eliminated the "evergreen" type contracts that automatically renew. Automatic renewal type contracts can lead to complacency by the vendor and vendor relationship manager and many times these contracts have automatic increases built-in for year-over-year price increases. Within our contract general terms & conditions (GTC's), we have specific language to ensure the vendor is responsible for complying with all laws (including all statutes, ordinances, regulations, orders and codes) applicable to their business performance under the contract. With mission critical and high risk vendors, we expand the language to include language ensuring that the vendor will enable compliance by us and all requirements imposed by banking regulators having jurisdiction over us. Additionally, we include language related to changes in business processes, technology, security, and etc. as well as including system changes, enhancements, and requiring business reviews at least quarterly.
Mary Kay Merkt is the Director of Vendor Management & Procurement at Johnson Bank in Racine, WI. She has been active in the area of Vendor Management and Procurement for over 33 years. Last year, Mary Kay's responsibilities expanded to include Business Continuity Management and Incident Response, broadening her role within the Risk Management Area. In her current role, Mary Kay spearheads continuous process improvements across all business lines, develops risk assessment models, and negotiates enterprise contracts seeking cost savings and innovative ideas from vendors.
Mary Kay is a graduate of the University of Wisconsin - Milwaukee and is a Certified Regulatory Vendor Program Manager (CRVPM). She is an Instructor for the Wisconsin Bankers Association and currently serving as Director of the Bank Operations School. Mary Kay is a Certified Toastmaster with Toastmaster International.
Join Mary Kay at the 2016 Edition: Third Party Risk Management for Banks Conference, June 7-8, 2016 in Chicago, IL. View the conference agenda to check out Mary Kay's case study topic. For more information, please contact Tyler Kelch, Digital Marketing Manager, marcus evans at 312.894.6310 or Tylerke@marcusevansch.com.
About marcus evans
marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually; ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.