Cheryl Gross & Associates logoProject Management
and Facilitation
to the Financial Industry

   36 Bromfield Street, Suite 306
   Boston, Massachusetts 02108
   (617) 426-3701

  Cheryl Gross, PMP, President


Site Map

The Nib
Timely Tips from Cheryl Gross and Associates

FFIEC Guidance on Vendor Management — Is There A Common Sense Approach?

When working with clients on Vendor Management, we generally hear one of three questions:

  • We have vendors that we’ve done business with for years whose contracts predate FFEIC guidance. How do we risk assess this group of vendors?
  • Our outsourced services cover a wide range of IT products and services from purchases that have a value of a few dollars to several million dollars. The FFEIC guidance utilizes a one-size-fits-all approach. How do we comply without building a bureaucratic monster?
  • The FFEIC Vendor Management guidance is so complicated we never have time for innovation. How do we comply, yet find the time to move the organization forward?

Let’s take a step back and talk about three issues:

    1. What elements constitute a comprehensive Vendor Management Program?
    2. How do you implement a Vendor Management Program in a dynamic environment with legacy vendors, new initiatives in the pipeline and future innovation on the horizon?
    3. What’s in it for your organization?
Vendor Management Programs

When you look at Vendor Management from an academic perspective, it’s a logical process which you'll see when you click here. The key elements are:

  1. Requirements definition — the process through which the organization determines the business strategy, business needs and business requirements.
  2. Vendor selection — the process by which the organization matches its needs to what’s available in the marketplace.
  3. Due diligence — the process by which the organization validates the investment and ensures the service providers have the financial basis, operational expertise, management and controls to provide the service over the term of the contract.
  4. Risk rating / risk assessment — the metrics which enable the organization to measure and rate operational risk, reputational risk, strategic risk, compliance risk and financial risk.
  5. Contract negotiation — the rules which identify the service provided, the quality measures of the service, the cost of the service, the controls that are required and will be measured, and the remedies if one of the parties breaks the rules.
  6. Ongoing monitoring — the process by which you review the vendor on a regular basis.

Your organization does all of these things and has for years. The issue is that the rules are not written down, and as a result it is very difficult to demonstrate that the rules have been applied and were applied across the board. Sound familiar?

Cheryl Gross & Associates offers a wide range of Vendor Management Services :

  • Best Practice Review of your program.
  • Development of Vendor Management Programs.
  • Monitoring of existing Vendor relationships.

Contact Us for additional information at:

(617) 426 – 3701

The Business Case for Vendor Management: Lessoned Learned

It seems a month doesn’t go by without hearing that a Vendor has compromised customers’ personal and private information. The Boston Globe disclosed that they had inadvertently published subscribers’ names and credit card numbers. Fidelity Investments disclosed that a laptop containing 196,000 current and former Hewlett Packard employees’ retirement information had been stolen. Clearly, these eventualities were contemplated in the FFIEC Vendor Management guidance and speak volumes about reputational and compliance risk. Time and money may never repair the damage. If you think it can’t happen to your organization, you only need to look as far as the monthly credit bureau tapes sent from your core servicer to the credit reporting agencies. If they are sent by mail, carrier or courier, you’re at risk, as they are generally not encrypted.

Let’s roll back the clock to 1995 and examine operational and financial risk by looking at one of the largest Vendor failures in New England—ELSI (Education Loan Services, Inc.). ELSI failed because of the cost associated with upgrading their technology to accommodate servicing requirements related to reauthorization of the Federal Student Loan program. At the time of the failure, ELSI serviced approximately $3 Billion in student loans for roughly 22 Financial Services Companies. Over the course of the next year, we all scrambled to find appropriate servicers. At the end of the day, many Banks chose to exit the business and offer student loans on a fee-for-service basis, and most of us lost money as a result of defaulted out of guarantee loans that were not paid off.

ELSI is a textbook case for a Vendor Management Program. Most organizations got in trouble because we signed the boilerplate servicing contract. We saw the failure coming, but didn’t have a termination provision in the contract. Bottom line, we were locked into the contract until ELSI pulled the plug. Fortunately, to the best of my knowledge, no Banks failed as a result of ELSI failure, but many of us, myself included, had a lot of damage to repair.

ELSI taught us many lessons, the most important of which were:

  • Contracts are always signed under the best of circumstances. Nevertheless we’re responsible for protecting our organizations with audit and operational control provisions, ongoing monitoring provisions, material adverse change provisions and termination clauses.
  • Well-run organizations can fail as a result of changed government regulations that are beyond their control.
  • Outsourcing services contain inherent operational, financial, compliance and reputational risks.

About Us

Cheryl Gross & Associates was founded in 1994; our goal is to partner with our clients to create economic value and sustainable productivity gains by providing outstanding project management expertise, leveraging internal resources and offering objective perspective. We create value by providing senior focus and organization to strategic, financially significant opportunities. We deliver challenging assignments that pay for themselves by being accelerated.

Our President, Cheryl Gross, is a financial services professional with over 25 years experience in retail banking, private banking, residential and consumer lending.

Ms. Gross has served in positions with Boston Five Cents Savings Bank, Boston Safe Deposit and Trust Company and Household International.

Ms. Gross holds a Master of Business Administration with a concentration in Finance from Babson College, Wellesley, Massachusetts and a Bachelor of Science from St. Lawrence University in Canton, New York.

Would you prefer to receive The Nib via e-mail?

Please call (617) 426-3701

or send your e-mail address to:

Implementing a
Vendor Management Program

Establish the Vendor Management guidelines, keeping the following in mind:

  1. Tier the program rigor to the risk and cost.
  2. Ensure that the Vendor Management program dovetails into your Change Management program—you’ll want to expedite small dollar purchases.
  3. When considering risk, review risks to the organization as well as: the sensitivity of data; volume of transactions; the criticality to your business; the implications if the vendor’s business fails; and the risk to existing technology.

Review all in process vendor selections in the same manner as a regulator.

  1. Ensure that all tiered processes required of the risk category were followed. If they weren’t, write a memo to file.
  2. Determine what Vendor Management stage compares to where you are with the project and complete all subsequent Vendor Management requirements as described in your rules.

Review all existing vendors against your risk assessment criteria.

  1. Your review should include all areas of the organization, not just IT.
  2. Risk rate existing vendors based on the program criteria. Remember to aggregate all Contracts with the same Vendor regardless of the service provided.
  3. Schedule the review requirements off the anniversary of the go-live date and the tier requirements.
  4. Identify all exceptions. Generally you’ll find most of your exceptions in the contract provision.
  5. Consider asking the vendor to modify the contract. If you’re unsuccessful or don’t want to weaken your position with the vendor, write up the results.
  6. Identify all the exceptions as risks and determine your mitigation strategy.

Vendor Management:
What’s in it for your Organization?

We’re sure that this has never happened in your organization, but we’ve seen occasions where businesses have acquired software applications which do not meet their needs, cost considerably more than expected and / or never achieve the anticipated productivity gains. Generally, the problem displays itself in one of the following ways:

  • The Business Unit claims the application doesn’t work the way it’s intended.
  • IT claims they configured the application based on the Business Unit’s instructions.
  • The CFO says the application cost three times the amount that was budgeted. Generally, the cost overrun is the hardware required to support the application.

When we begin analyzing the issues, we generally find that the organization has had four or five vendor demonstrations and selected the software that they believed fit their needs. The result is a very costly error that is attributed to individuals being resistant to change, and everyone has to live with the application until the capitalized costs are expensed.

The reality is that technology is expensive—as a rule of thumb, you can plan on the total hardware and software cost equaling three times the software cost.

In our view, a well-designed Vendor Management Program consisting of the following elements will prevent costly mistakes:

  • Requirements Definition.
  • Service Provider Selection.
  • Due Diligence.
  • Risk Rating.
  • Contract Negotiation.
  • Ongoing Monitoring.

A comprehensive Vendor Management program when combined with project management mitigates the risk associated with acquiring the wrong technology tools and provides the following benefits:

  • A Vendor Selection mechanism that aligns the needs of the organization to the best-fit, least-cost application.
  • Establishes process flows and requirements definition necessary to configure the application.
  • Ensures that the Business Unit and IT are on the same page, with the additional benefit that there are no financial surprises as all costs are known upfront prior to acquisition.
  • Affords improved internal and / or external customer service utilizing service level agreements (SLAs).
  • Establishes the mechanism for risk rating and monitoring the Vendor going forward.
Provides the metrics against which to measure the Program / Project results.

Message from our President

Hi All—

The focus of this issue is Vendor Management. Many of you view Vendor Management as best practice or a compliance issue. I suspect that few if any of you view it as an opportunity to reduce expenses.

Ask yourself the following questions:

  1. Would we save time and money by identifying the Vendor who most closely matched our needs at the least cost?
  2. Would we save time, expense, aggravation, and embarrassment by preventing disclosure of Customer Information?
  3. Would we be able to offer better customer service by requiring Service Level Agreements?
In my view, a well-conceived Vendor Management Program ensures you can answer yes to the above questions.

I hope you’ve found this newsletter interesting and informative. Your comments are always welcome.


© Cheryl Gross & Associates. All rights reserved.