As a vendor, we’ve filled out many Requests for Proposal (or RFPs) from banks. The more we fill out, the more often we find ourselves taking a step back and asking, “What’s the goal here?”
Many banks have developed a standard RFP template that’s used for all vendors. And understandably so. An all-encompassing RFP ensures that no regulation or law has been overlooked. However, in doing so they’ve created a mammoth RFP that’s difficult for vendors to respond to and even tougher for their Vendor Management department to review and analyze.
And it often isn’t tailored to the vendor and/or service being reviewed. If a bank is looking for a vendor to print t-shirts for an upcoming event vs. a vendor to provide an accounting software solution for its Wealth division, they’re not going to ask those vendors the same questions, right?
The Right Questions at the Right Time
For the RFP to be most efficient and effective for all parties involved, there should be an initial internal vendor risk assessment or questionnaire completed by the business unit wishing to engage with the vendor. That internal assessment or questionnaire should then be used by the vendor management group to shape the RFP.
The questionnaire should seek to determine the inherent risk rating of the vendor. That rating will then determine the complexity of the RFP, as a higher inherent risk rating means a bank will be looking for a higher number of mitigating controls. Sticking with the example above, if a bank is looking for t-shirt printing company they may only be concerned with the vendor’s turnaround time; however, if they’re looking for an accounting software solution for its Wealth division, their RFP is going to examine the risks associated with access control, data handling, disaster recovery, and physical security, just to name a few.
Having internal business units complete the questionnaire on the front end will not only better refine the RFP process in general, but it may also enable business units to proactively screen less favorable vendors ahead of the RFP, by asking questions of their potential service providers they may not have asked on their own. In the course of gathering this information, they may determine the vendor has a risk profile that simply doesn’t match the bank’s comfort level, saving the bank (and the vendor) the wasted time and effort of a pointless RFP process.
Bringing in the Experts Earlier
While having that questionnaire gets the business units thinking about the right questions at the right time, it doesn’t guarantee they’ll have the right answers. Unfortunately, we’ve learned this through experience. Actually, multiple experiences.
(Warning: This next paragraph contains lots of security nerd speak. Stick with us. It will all make sense in a bit.)
When we’re working with a bank, all communication is encrypted using industry standard TLS/SSL. We also leverage Azure SQL Transparent Data Encryption (TDE) to encrypt all databases at rest. The type and amount of data stored within the application depends on whether a bank purchases and activates an additional module – one that requires more captured data than others. This optional module allows clients to feed existing commercial relationship data into PrecisionLender on a scheduled basis. If this option is selected, cryptographically hashed versions of account numbers may be provided through a feed.
What does that really mean? PrecisionLender doesn’t actually receive or house confidential customer information because full account numbers do not leave the bank’s network and are not present within PrecisionLender. And yet we’re almost always given an RFP that assumes we will be housing confidential information. Thus we wind up answering the sort of questions and providing a level of documentation that would be required of a vendor with a higher inherent risk rating. We’re not asking for your sympathy, but you should feel sorry for the poor souls at the bank who have to read a lot of irrelevant answers and documents in that RFP.
Why does this happen? Because typically someone in the business unit, while doing their best to answer the security questionnaire, has made an understandable mistake. They’ve assumed that the relationship awareness information that banks feed into PrecisionLender will be housed there, and they provide that information in the questionnaire. This leads to the RFP that doesn’t match our actual inherent risk rating.
Again, it’s an understandable mistake; one that can be avoided if the bank’s security experts play a role earlier in the process. If they’re available to help with the questionnaire, then – as mentioned before – more vendors get correctly screened out ahead of the RFP and the bank’s purchasing unit is better able to ensure it sends out the right sort of RFP to the vendor.
Check Them Out … Then Keep Checking
When it’s time to evaluate the vendor’s responses, you should be seeking to not only identify the risks posed by the vendor and gauge the vendor’s ability to mitigate those risks, but also to grade the vendor’s ability to meet your expectations in the future. A vendor should then be assigned a residual risk score (inherent risk – mitigating controls = residual risk).
Similar to the way the inherent risk rating affects the RFP, the residual risk rating should determine the level of future scrutiny and cadence of an ongoing risk reviews. Just like anyone in the courting stage, vendors are going to put their best foot forward in their response to an RFP. But will they continue to do so once they’ve landed the contract?
Also, the security risks a bank must combat aren’t static. Will your vendor continue evolving and upgrading to match them? The only way to be sure is to perform continuous monitoring to review their financial status and insurance coverage, to ensure they are adhering to your SLA, and whether they’ve received any negative press lately. For vendors with access to confidential data, or the ones you depend upon to ‘keep the doors open’, you may also want to check the most recent updates to their Information Security Policies & Standards or their Business Continuity Plan.
All in all, it’s about the questions you ask and when you ask them. Ask the right questions to the vendors you’re vetting and you’ll receive the answers you need to make the best decision for your bank. RFPs should not be a catch-all; they should be a way of digging below the surface and getting to the truly useful information.
It sounds great, but determining which questions to ask is often difficult. That’s why we’ve included a chapter on this in our book Earn It. You can read more here: Chapter 9 – Choosing the Right Tool.