COLUMBUS, Ohio -- Corporate One Federal Credit Union will present a vendor risk management program at its Enterprise Wide Risk Management Conference in Chicago next month.
Vice President of Risk Management Joe Ghammashi developed interest in the topic after hearing stories of credit unions increasingly being burned by vendors, particularly by vendors with little to no history in the credit union industry.
"We've all heard about the credit unions that got involved in Florida real estate scams, and some credit unions that got involved with out of state indirect lenders that didn't turn out to be a scam, but the loans were less quality than expected," he said. "Some credit unions have become so dependent upon vendors, it can be very devastating if something goes wrong."
The NCUA even weighed in on the topic late last year, when it released a supervisory letter advising examiners to pay closer attention to the effect vendors and third-party relationships could have on safety and soundness.
Vendor risk isn't only found on the income earning side of the balance sheet. When Madison, Wis.-based statement printer LaserTech closed its doors out of the blue last month, it sent credit unions scrambling to get the required documentation out on time.
Prospera Credit Union, a $147 million institution in Appleton, Wis., had statement paper and electronic files standing by at LaserTech when it shut down. CEO Ken Eiden said as soon as he heard the news, he sent a driver two hours southwest to Madison to collect the materials, while he researched his options.
Eiden said Prospera's core processor, CU*Answers, was able to produce account statements with Prospera's logo and deliver them to members only a couple of days later than normal.
"We were in a unique position, through our disaster recovery system, to respond to this," Eiden said. "And since CU*Answers does statements already, it wasn't a big stretch for them to add one more."
Despite the Hollywood ending, Eiden said the experience has made him a believer of the NCUA's recommendations to bulk up vendor due diligence.
"It was a good lesson to learn, and as we seek a new vendor, we're obviously applying a whole new set of standards," he said.
Four-Step Vendor Program
Ghammashi recommended a four-step procedure to manage vendor risk: need justification, vendor research and selection, contract negotiation and an ongoing post-selection tracking effort that ensures the vendor is meeting contract expectations and maintaining strong financial health.
Quantifying the need for an outside vendor is an important step that should include a component of risk, he said.
"Especially if the credit union is getting into a new line of business, the entire process must start with a good business model and solid justification," he said.
The vendor selection process must include enterprise-wide risk management, Ghammashi said, which involves examining the effects the vendor will have on the entire organization. Successful enterprise-wide risk management includes a vendor selection team made up of representatives from each department that can identify incompatibility or processes' snags more quickly and comprehensively.
Ghammashi said he learned the value of enterprise-wide risk management early in his career, when he was chosen to select an asset-liability management software provider.
"I was the company expert on ALM, so I chose the model, negotiated the contract and paid for it, only to later talk to IT and learn we couldn't support the platform," he recalled. "As you can imagine, a bunch of people weren't happy with me, but you learn from those experiences, and I learned vendor selection is an enterprise-wide activity."
The contract award phase is an opportunity to put not only the negotiated prices, but also deliverables and expectations, into writing. Getting the legal team involved is crucial during this process, he said.
"A lot of times we do business with handshake, and there's nothing wrong with that kind of relationship," he said. "But, if the details aren't communicated to the legal side, they can't help if the deal goes bad," he said.
The post-selection process ensures that a credit union continues to receive value for the expense and tracks a vendor's financial condition so credit unions can see the next LaserTech coming.
"Nowadays, we sign three- to five-year contracts. In year two or three, we should ask ourselves: Is this vendor still best of breed?" he said.
Ghammashi shared another personal experience with post-selection evaluation that helped him avoid indirect lending losses.
"We had a tracking methodology where we tracked delinquencies by dealer and noticed two dealers in particular had different delinquency ratios. Sure enough, it turned out there was fraud," he said.
Size vs. Risk
Small credit unions aren't off the hook when it comes to developing a prudent vendor-tracking program, Ghammashi said.
"I hear that time and time again, credit unions saying they are too small to manage the risk," he said. "Well, I would respectfully say, if you're too small to manage the risk, you're too small to be in the business."
Larger credit unions claiming they're too busy aren't exempted, either. In fact, he said, the ability to manage risk should be addressed up front, as the credit union justifies the need for the vendor in the first place.
"We tend to make business decisions hoping things won't go wrong and don't allocate resources to assure it doesn't," he said. "To me, risk is part of the cost of doing business."
If credit unions place more weight upon the justification process, he said, they might choose to find more creative collaboration solutions with other credit unions, rather than select an outside vendor.