December 30, 2020

Mick Kless, CEO

A while back, one of our community bank clients selected a new automated vendor management solution from a well-known vendor in the industry. The client and vendor will remain nameless for confidentiality purposes. My direct client contact was the Vendor Program Manager who was also a part of the Accounts Payable team, reporting up through Finance. A reorganization moved the Vendor Management function to the Enterprise Risk Management (ERM) department, certainly not unreasonable. ERM, who had previously never touched the vendor management program, decided to issue an RFP for a new vendor management solution. The RFP was led by the Vendor Program Manager since that person had experience, understood 3rd party risk and knew the functionality required to meet the day to day vendor management tasks. After evaluating vendor responses, seeing demos and speaking with the vendors, the evaluation committee selected a vendor and made their recommendation to the Chief Risk Officer (CRO). The CRO overruled the selection and chose a different vendor based upon smoke, mirrors, vaporware and promises, which the well-known vendor is well known for. Yes, that’s right, a vendor who claims to be a leader in the vendor management industry playing bait and switch, avoiding contractual commitments, selling things that don’t exist. Ironic, no? Here is an email exchange I had after they were into the implementation for more than a year; and this is a financial institution under $5B in assets:

“Honestly Mick- it is still not fully functional.  It was a pipe dream to think that we could have [vendor] sponsors using and maintaining the records of their vendors.  Our sponsors at not engaged.  But the requirements that it entails places too much of a burden on the sponsors and it would take years of training to get them to use it properly.  I have figured out work arounds.  There were features missing that they promised they’d have but those are now considered upgrades and there are fees.  Obviously I am not paying for the addition of all of these “features” which should have been there to begin with.  I am not happy and the software did not automate my process.  I had two dedicated people under me helping.  And because the software was supposed to automate and take the place of two people I lost both and now it’s just me.  I cannot put into words how disappointed I am.  I now work 65-70 hours per week. We are in the second year of this contract (we have paid for two years) and if this thing is not up and running properly by March I may have to bite the bullet and suggest moving to another solution.  The vendor support isn’t there either.” 

Ouch! This should not have been rocket science. DON’T LET THAT HAPPEN TO YOU! What might the institution have done to protect itself? Discussion points are certainly welcome. As those who have taken our Certified Regulatory Vendor Program Manager (CRVPM) course know, the contract is the most important control in the outsourcing process so there are certainly contractual T’s & C’s that could have protected them. How about any of the following:

  • Trust the recommendation of those who understand what’s needed and which vendor can deliver it. Why else did they spend so much time and money on the RFP process!?!
  • Contractual definition of what “fully functional” means
  • Contractual deadline for fully functional implementation (with detailed statement of work showing tasks and timelines) that includes penalty fees for every day or week or month that it’s late.
  • Contractual Pilot Period/Proof of Concept to show it works as advertised
  • Proper outsource planning so that the Vendor Program Manager would not have lost headcount until the system was fully functional and shown to save man hours.
  • Contractual commitment for the “promised” features to be delivered within a certain time frame and at no additional charge
  • Appropriate Termination T’s & C’s for cancellation
  • Contractually defined T’s & C’s for a refund

If the vendor is hesitant to contractually commit then that’s your first red flag. Protect yourself, your institution, your customers and obtain promises in writing with contractual terms and conditions around them so you have recourse!

https://compliance-edu.com/3rd-party-toolbox/ https://compliance-edu.com/crvpm-level-1/