What’s one of the scariest things that keeps a bank CEO up at night? Two words: data breach.
Hi, and welcome to Lender Performance, your guide to becoming a better lender. I’m your host Jessica Stone, a PrecisionLender client success manager. Thank you for joining us. Today we are speaking with PrecisionLenders Vice President of Information Security Chris Nelms. Chris recently wrote a great article for Bank Director magazine about how to strengthen your vendor management process, so excited to have him with us today. Thanks for being on the podcast Chris.
Glad to be here Jess.
Chris before we get started, can you tell us a little bit more about your career and your current position here at PrecisionLender?
Currently at PrecisionLender, I’m in charge of our vendor management, our due diligence and our overall general security for our application and our software. Previously, I’ve actually worked at two banks in my past, and it’s one of those things, that you just, you never forget you enjoy banking. I have both sides of the coin here, selling to banks and actually being the person at the bank.
Awesome I think that’s definitely a helpful perspective in this conversation. Chris, you begin your article in Bank Director magazine by asking what is one of the scariest things that keeps a bank CEO of up night to which the answer is a data breach. My question is to you, what is a data breach have to do with vendor management?
Perfect question, let me give you an example. The Target corporation had $40,000,000 credit card numbers exposed and eventually settles these for $67,000,000. In 2014, we sold bigger companies in the headlines such as Home Depot and Sony falls victim to the same fate. Target’s breach came through the HVAC vendor that had access to the retailers network. When you think about vendors management, you want to make sure that you have every entry covered, and why you may have robust vendor management and security access inside of your bank, your third party vendor may not. That’s where they found their way in, and it was easier for them to go through the HVAC vendor, then try to break into Target directly.
Wow, that’s a really interesting. I certainly didn’t know that. That’s a really interesting case study. Before we get started to any lenders listening today, who think that maybe this doesn’t have anything to do with me, I don’t have the responsibility of checking our vendors and that type of thing. I think this is actually really important for lenders to think about too. Because more and more customers have to do, due diligence on everyone that they work with.
Someone who might be coming to you, to check their rate and talk to you about a loan, if you move together forward, they might have to later come to you and talk about security questions and also a lot of banks really pride themselves that they’re stable and they’re secure and you want to do business together. If you think about, if you look up a bank on Yelp or on Glassdoor all these online reviews. You want to make sure that you can feel really confident in your security, and vendor management is one of those things you can really feel like your customer is going to be doing a great job by doing business with you.
Hopefully this is applicable for a lender as well as some folks hire from a bank who might be dealing with vendors on a day to day basis.
Chris, in your article you outlined seven steps that companies should take to reinvent their vendor management process. Let’s talk about what’s step one?
Step one is the first and foremost thing you need to do. Vendor management needs to start at the top, you need to obtain executive sponsorship. That’s not just the CEO, but that’s also board level. You needed to make sure that you have someone behind it that can lead the charge, and can also ultimately responsible for implementing inside of your bank.
Great, okay so the next two steps are to create a vendor management committee, and a centralized vendor management program. Can you talk about the importance of those two, and how people might go about that.
The vendor management committee is important because you need people from different departments because they touch different aspects of the vendor. For example you may have someone who is in legal, someone who is in compliance, someone who is an IT. They each bring a specific skillset to the table, and only they can evaluate the certain part of that vendor. You need to make sure you have multiple people from multiple areas, inside of that committee.
Diversity here is really crucial.
Absolutely. The second piece on this creative centralized vendor management program is making sure that no one single person is responsible because if you distribute that amongst the team, it’s more of a collaborative effort.
Okay, great. This next step is a really important one. What is step four?
Step four is gain buy end. Which need to make sure you do is you involved the entire bank, or the people that are dealing directly with the vendors inside of the decision. One thing you mention earlier about involving the lenders as even though they may not be directly responsible from the vendor management, they will be responsible for the vendor that they bring in. There’s a lot of reports, and a lot of financials, and a lot of things that they need to get for the vendor management committee. That’s why it may also pertain to them as well.
Okay, and so after buy-in, and getting the whole bank on board. What should a company do next to assess current vendors as they’re kind of moving forward. We know, what has to be in place moving forward? What about people that are already in with you?
Sure at a previous bank that I worked at. We did the vendor inventory, and before we realized it, we have over 300 different vendors. Some of those vendors were also duplicates, so they did the same service, the same process, and we were able to consolidate that. There was a money savings there as well. With the vendor inventories, you need to make sure you know where your information is at all time, who has access to it, who are their third party which are also refer to as fourth parties, and to make sure that you know who you’re doing business with. It’s the best practice there.
Okay, I think step six is kind of comes right after that, categorizing all the vendors. A little bit of detail on that Chris?
Absolutely, you’re not going to have the same rules around someone who does your lawn maintenance, or the snow removal for your bank as you would at someone, as your core data provider. Just make sure that you categorized all vendors into certain categories and this is where you can identify your critical and high risk vendors, and really where those come into play as do they have access to your customers personal identifiable information.
Yup, okay. Now vendors have been inventoried, and cataloged, what comes next, what’s that step seven?
Remove the silo, making sure that one person isn’t responsible again. Make sure the documents are saved to shared resource. Everyone involve should have access.
Great. Okay, Chris those seven steps are certainly important I think that’s going to be really good for folks to use moving forward. Thinking back to that Target example you gave at the start. If Target have used these seven steps, how would that have helped them?
I think they would have realized that the HVAC vendor had access to their systems, when maybe they shouldn’t have. They could have, had additional steps or due diligence around that particular vendor. I think number six categorized all vendors and making sure you know where your data is at all times and who has access to that data.
When vendors are asking people for their… Actually I’m going to back up. We have a word in here in our notes, SOC reports that I realized I don’t know what that is. Can you talk maybe about what that’s it and it’s part of due diligence.
Sure SOC stands for statement of controls. It is a report that a third party audit company will review. It basically it goes to a year of our processes, our security practices, and the third party checks those statement of controls to make sure that they’re operating efficiently. It’s our way of showing to our clients, we are operating under the strict controls and it has been tested by a third party.
Great, what we wanted to say, is that when you’re walking through these SOC reports on an annual basis is really keeping these in mind and are you just checking the boxes because this audit is coming up. Are you going that step further to really make sure that you are ensuring the safety of your company through further due diligence with your vendors.
Absolutely, and again if you’re checking boxes, you’re doing it all wrong.
I have worked at a place before that. Remember the old projector overheads? Where you could overlay the transparency over, and you could check off exactly if those answer is wrong or right. They did that, well those questions mean a lot. It wants to make sure to review the financials, make sure the company is in good standing, make sure the company has their SSAE 16 or SOC report. It’s more than those checking boxes, and you need to make sure that you have someone who understands them, not just someone that you’re just going to hand it off to and say, “Here we need you to take care of this, because it’s a requirement.” Make sure that you put forward the effort to find someone, or to train someone that can work with those appropriately.
Okay, well thank you so much for that insight Chris. One thing I wanted to add before we wrap it up is, there’s a couple of overarching thought in working with vendors as kind of doing research for this article. James Bucki wrote about.com, about tips to make vendor management a win/win. I just want to touch on that, before we, before we finish up. Two that stuck out to us were, first allow key vendors to help you strategize. The reason you brought in a vendor was because they have a product or a service that is going to make you better, do things more efficiently, do things cheaper. They’re experts.
Really when you’re working with someone, make sure to bring them in and let them help you strategize on how to do things to the best of their ability. You don’t want to pay all these money, and then kind of say, “You know what? I figure that probably understand how to use this.” Bring folks in to make sure that you’re getting, maximizing your investments for vendors that you do, you done all these work to bring them in, make sure that you’re really using them to the best of their ability.
Then the next one is to build partnerships for the long term and this also kind of my feedback to security is, vendors really work best when you have long term relationships. It isn’t just these short term things, you’re changing people over to save money, here or there. Over the long term you really developed trust and access to expert knowledge with a vendor, and I would assume I guess I’ll ask you Chris, it seems like rather than doing this a zillion times, with checking the boxes. If you develop relationships with vendors that you feel they know what they’re doing, they have our security, in mind just as much as we do that seems like a partner that you want to, keep to the long run.
Absolutely we have a lot of clients who may not have a dedicated vendor management person, but they can lean on us on for our procedures and we have a vendor management packet that we give out to folks. We’ll work with our clients to make sure that they have the resources needed to not just check the box, but to have a meaningful audit, and to make sure that it counts.
It’s great, yeah I know we have a lot of vendors that we worked with for many years, and in the same thing that we feel like we can lean on them and we can go to them with questions. That’s always kind of takes the weight off when you have that kind of relationship.
Absolutely, and there’s another thing that you mention about saving money. You should never choose a vendor strictly based on price.
I know in banking you always want to make sure that you have the cheapest possible because you have responsibility to your shareholders. Again, bottom line price isn’t what you should look for. You should look for a couple of things, security being one of the main focuses, their overall help with the company, and also make sure that they’re going to maximize what you can bring back to your shareholders at the bank. Because you have responsibility to them at the end of the day. Don’t focus just on price, again it’s …we always know it’s a big topic to make sure you get something that’s meaningful to your bank.
Awesome. Thank you Chris for speaking with us today. That will do it for us. We will link out to Chris’s article on the website at precisionlender.com/podcast. If you like what you’ve been hearing, please subscribe to us in iTunes, SoundCloud or Stitcher. Love to get ratings or feedback on those platforms. Thanks for listening, until next time, I’m Jessica Stone and this is Lender Performance.
The post Seven Steps to Strengthen Your Vendor Management Process appeared first on PrecisionLender.