Vendor management is a tug of war for banks, with the cross-institutional efficiencies claimed by shared assessments of vendor security and the traditional surety of proprietary consultant-led vetting yanking hard on opposite sides of the rope.
How much sharing banks should do with other institutions is a tough decision for CIOs and CROs, and even the forces that advocate shared assessments says convincing banks to fully relinquish proprietary controls is a challenge.
"One of the biggest challenges to the SIG and AUP is the continued use of each bank's specific proprietary questionnaires and onsite review procedures which have been tailored to that institution's specific vendor management processes," says Charlie Miller, an independent consultant to the Santa Fe Group, which manages the BITs standardized information gathering (SIG) and agreed upon procedures (AUP).
The Santa Fe Group is taking advantage of a poor economy and consolidation of service providers to push hard for adoption of its cross-institutional vetting standard.
Participation in the past few years has grown from an original half-dozen participants to more than 70 banks and tech firms - including Citigroup, JPMorgan Chase, Goldman Sachs, Merrill Lynch, US Bank, Wells Fargo, Yodlee, non financial firms such as Target, international users such as Bank of Tokyo and Indian vendors Infosys and Wipro. Sources at a recent BITs event in Chicago said the participants are able to complete about 70 to 80 percent of their vetting via the SIGs, with proprietary programs completing the rest of the job.
Most banking consultants offer vendor management and provide analysis that could be curtailed if the use of proprietary vetting was replaced or superceded by a standardized agreement. Since that eliminates a source of revenue for the consultants, who often help develop the RFPs for an IT project - it's the adoption of the SIG standards which is being curtailed. "In the wealth management industry, for example, if you're outsourcing controls there may be domain knowledge that a service provider may have to have. So you'll want to do additional investigations into those issues," says Rod Nelsestuen, a research director at TowerGroup, which through its consulting division offers its clients a methodology that allows for both broad coverage of vendor management issues with variable drilldown based on client needs. The consulting arm also makes use of weightings based on levels of importance to the business for different needs.
Michael White, vp of information protection, Bank of America, says an argument in favor of SIG adoption is substantial time savings. The program's ability to share and quickly update the questionnaires has helped reduce average supplier vetting time at BofA to one day from three, and White hopes the SIG - currently used in concert with proprietary vetting - will be fully deployed in about a year. "There are always new regulations being introduced, and being part of shared assessments eases the burden," White says.
And Tim O'Brien, an svp for Yodlee, which has about 100 clients, proactively "pre screens" itself by answering questions beforehand - a process that turns an average 75-hour proprietary audit into an 8-hour procedure.