You can outsource the business function, but you can't outsource the risk.

Manage Vendor Risk by Following the 8-Step Outsourcing Process

Regardless of the business function your institution outsources (information technology, operations, finance, human resources, legal, sales, or marketing), it does not outsource the associated risk.

Even if your vendor is responsible for day-to-day management of certain products or services, the responsibility for all compliance requirements resides with your institution.

Third parties can help your institution reduce costs, improve earnings, and enhance product quality. An effective vendor management program will help you maximize those benefits.
But a successful vendor relationship does not end when you negotiate a good price for a vendor’s product or service. By setting up an outsourcing process and monitoring your vendors’ performances, you help ensure that your company meets its long-term strategic goals.

Gathering all the available information will help you design a formal and written vendor management program. The program’s scope will depend on the size, scale, and complexity of your institution, but in any case, it should pro­vide guidance on due diligence, risk assessment, contract structuring, and oversight.

Like every product and service, vendor management has its own life cycle. Regardless of your institution’s size, your outsourcing program will move through eight stages.


Regulators have consistently advised banks to oversee vendors just as they would any division of the bank and will hold the bank accountable for any vendor-related risk management lapses.‚Äč

Stage 1

Discovering a Business Need

The business unit determines it needs to improve an existing process, reduce costs, or create a new product.

Once the need is identified, a cost-and-benefit analysis is undertaken. A decision is made to either use internal resources or outsource the work.

Stage 2

Deciding to Use Outside Resources

Banks usually seek outside help because they believe the vendor can do the work faster, better, and/or for less money. As they constantly look for ways to improve existing processes when entering into relationships with third parties, institutions make a common mistake of looking at short-term benefits.

To better understand how a third-party relationship can affect a business, decision makers should be familiar with the company’s strategic long-term goals and review potential vendors from the standpoint of how they may affect the company’s risk profile.

Stage 3

Developing the Scope of Work

Make sure that the scope of work syncs with the needs assessment determined in the first stage.

If your institution maintains a list of vendors in a central location, review that list to see if it makes sense to expand the relationship with an existing vendor rather than hire a new one.

Stage 4


To ensure you select the best vendor, ask subject-matter experts to review proposals and information from candidates.

If the vendor will handle a core business process, management and stakeholders should also review the documents.

Stage 5

Conducting Due Diligence

Be aware of increased vulnerability in the areas of strategic, reputation, compliance, transaction, operational, social media, credit, and other risks. The board of directors and senior management should plan how to mitigate those risks and how to address them when they occur.

Consider preparing a registry of potential risks that specifies the source of those risks as well as possible effects on your operations. Use a quantitative measure. Scenario testing eliminates the surprise if the risk becomes reality. It also shortens your response time when problems occur.

Be aware that regulators are looking at how institutions manage technology risk, and they expect you to have a process in place for managing service providers that safeguard customer information. They expect you to know where your customers’ information is stored and how it is disposed of when no longer needed.

You should also know what safeguards the vendor has in place to prevent employees from stealing information with their personal devices. This knowledge will allow you to plan better and to protect against unauthorized access to (or use of) customer information, as required by the Gramm-Leach-Bliley Act.

Stage 6

Negotiating Contracts

Make certain that the contract includes the right to audit third parties and their subcontractors.

The contract should require the vendor to notify the bank if the vendor experiences financial difficulty, catastrophic events, a change in its strategic goals, or significant staffing changes.

By including exact, quantifiable parameters in the contract, you will establish clear expectations regarding the vendor’s responsibilities.

The contract should also specify consequences if the expectations are not met. If incentives for superior performance are to be awarded, they should be included in the contract.

It is much easier to measure and assess your vendor based on precise criteria when conducting your due diligence.

Stage 7

Monitoring Performance

This is the most important part of managing your vendor relationship effectively. Your institution can easily prove that it stays on top of overseeing third parties by creating a logbook for each vendor. Being able to document that certain weaknesses have been escalated with a vendor shows that you are constantly monitoring the vendor’s performance, acknowledging the risk, communicating the risk, and, most of all, managing the risk.

Institutions often concentrate only on managing their significant vendors because of limited resources and technologies. They use various criteria to determine the significant vendors, but in most cases, high-risk vendors are those that:

  • Have a material effect on the institution’s revenue or expenses.
  • Perform core and critical functions.
  • Handle sensitive customer data.
  • Deliver a service to a large number of customers.

The bank also should consider reviewing the performance of medium- and low-risk vendors. Knowing the technologies your vendors use is one of the most important factors in your contingency plan.

Even if the line of business manages the vendor’s performance, key information about your vendors should be kept in a centralized location. Doing so will allow you to learn important information. For example, some of your medium- and low-risk vendors may store their data in the same cloud: a business disruption of one low-risk vendor may not significantly affect your day-to-day operations, but if multiple vendors were affected at the same time, this could disrupt your business operations on a large scale. 

Stage 8

Terminating or Renewing Contracts

Subject-matter experts review the business need for the vendor and determine if it has changed or if the bank currently has the capability to perform the function in-house.

Based on the vendor’s performance and existing market competition, it may be more advantageous to continue with the existing vendor or to create a new relationship (without a service disruption).

Be familiar with your vendor’s contingency plan in case of emergency, but also have your own contingency plan in case your vendor becomes unreliable and the relationship must be discontinued.

About RMA

The Risk Management Association (RMA) is a not-for-profit, member-driven professional association serving the financial services industry. Its sole purpose is to advance the use of sound risk management principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk, operational risk, securities lending, and regulatory issues.

Membership in RMA

With your RMA membership, you benefit from the member-driven resources and industry information essential for managing today’s economic challenges. In addition to a free subscription to The RMA Journal® and discounts on all RMA events, products, services, and training, membership also provides countless networking opportunities and exposure to the industry’s key decision makers and managers.