When vendor management at Community Choice Credit Union become splintered and inefficient, the cooperative formed a risk team.
The team meets monthly for reviews and to rate risk for each vendor relationship.
Vendor management also is enhanced with a new storage system that keeps contracts and reviews organized and accessible.
Community Choice Credit Union ($1.0B, Farmington Hills, MI) has taken a committee approach to smoothing out a thorny issue for many a credit union: vendor management.
Jeff Dubey, the suburban Detroit cooperative’s vice president of risk management, discovered the problem not long after he came aboard in August 2015 and couldn’t get consistent answers to what he thought were simple questions: When was this vendor last reviewed, and where is it?
Everybody thought somebody else was responsible for vendor management, Dubey says. Nobody was doing what needed to be done.
CU QUICK FACTS
Community Choice Credit Union
Data as of 12.31.17
HQ: Farmington Hills, MI
12-MO SHARE GROWTH: 23.2%
12-MO LOAN GROWTH: 15.6%
As the credit union’s list of suppliers grew, overseeing them had become splintered and reliant on multiple, disparate documents and inefficient communications among stakeholders. This at a time when examiners had begun ramping up scrutiny of the risks presented by third-party relationships and how well credit unions understand them.
So, Community Choice overhauled its processes, centered around a new risk rating system. We’ve also centralized all our information so it’s easy to see and find, Dubey says. And they’ve centralized responsibility. ContentMiddleAd
Strategy is a process. That’s why Callahan & Associates has developed team learning experiences that help executives become more effective, make better strategic decisions, and ultimately thrive together. Learn more today at Callahan.com/strategylab.
Community Choice now has a risk team, a group of four people ? Dubey, a compliance specialist, accounts payable clerk, and IT specialist ? who meet monthly to review new and existing relationships.
The committee asks questions such as what the impact would be if the vendor went out of business. Fairly low for an auditor, quite high for a credit card processor, for example, Dubey says. The level of risk also determines how often a contract is reviewed, some every year and some only at the time the vendor is first onboarded or when the contract renews.
The risk assessments and vendor reviews are organized with Excel spreadsheets that allow easy sorting by such factors ask risk level and contract renewal dates.
Our regulators were happy with the process when they visited in 2017. It’s organized, consistent, and easy to understand. The few recommendations they provided were also easy to implement.
5 Ways To Improve Vendor Management
Community Choice is a part-owner of the Member Driven Technologies CUSO, which hosts and integrates Symitar’s Episys core platform. Here, Matt Baaki, chief technology officer at MDT, shares five best practices for credit unions to improve vendor management.
- During the selection process, perform comprehensive due diligence that expands further than the stability of the organization.
- Conduct ongoing risk assessments and vendor audits.
- Hold face-to-face meetings on a recurring basis to maintain strong relationships with key resources.
- Conduct strategy sessions to maximize the potential of the relationship.
- Measure the performance of the vendor, including product and internal/external utilization.
The risk team’s compliance specialist is an attorney so only the biggest contracts go out for third-party legal review. We do probably 90% of them in-house, Dubey says. The legal eagle pays particular attention to pricing, working to ensure the credit union doesn’t see rates bumped up during times of change, such as mergers that bring in thousands of new members.
The IT specialist, meanwhile, has a strong understanding of IT audits and the technology providers themselves, especially useful when so much of the relationships now involve pass-through companies. Examples of that include the digital banking provider from Jack Henry & Associates which flows through the Symitar Episys platform which itself is provided through the Member Driven Technologies core processing CUSO.
It can get confusing, but we have to stay on top of it, Dubey says. That’s why sometimes we have to really rely on MDT, because a lot of times these are the CUSO’s preferred providers, so they provide discounts and economies of scale, and our CUSO understands these relationships very well.
The Community Choice risk teams uses a clear set of risk criteria based on operational demand, member information, reputation risk, and contract complexity to rank vendors as low-, moderate-, or high-risk.
This shows part of the table of risk factors used by Community Choice to assess new and existing vendors.
The risk team asks the tough questions, makes recommendations for changes, and does the reviews and approvals. But it doesn’t work alone. There’s also the Enterprise Risk Committee.
The ERC comprises senior executives and managers who provide another set of eyes to help when our risk committee encounters a hurdle we can’t move past, or we feel like they should be involved in the conversation, Dubey says.
According to Dubey, four pieces of the process are essential to his team’s success:
- Defined risks. The risk team sets clear parameters so credit union staffers across the organization understand what falls under low-, moderate-, or high-risk.
- Easy sorting. The risk team also has a straightforward way to determine which vendors present what risk.
- Assigned ownership. The risk team owns the vendor management process at the credit union. This allows the team to run the process according to how it wants things done.
- Regular check-ins. The risk committee at Community Choice has positive momentum because it meets regularly and reinforces the processes.
Community Choice implemented its new vendor management process not long after Dubey arrived two-and-a-half years ago. Last year was the first full year of implementation, and, so far, it appears to be a resilient solution to what was a difficult problem.
Our regulators were happy with the process when they visited in 2017, Dubey says. It’s organized, consistent, and easy to understand. The few recommendations they provided were also easy to implement.
One recommendation was to review data safeguards every year if a third party like ADP payroll or a marketing company is storing member information on an Amazon-based cloud service.
That was easy to add that to our processes, Dubey says, because we now have a strong foundation.