Post-Acquisition Vendor Integration Project for a Leading Southeast Regional Bank
At this bank, the Vendor Management group was responsible for vendor risk management across the enterprise. As a result of a merger, there was a need to consolidate vendor management records into the selected surviving vendor management solution. Complicating this integration was a lack of vendor management discipline being observed during the acquisition effort that required immediate remediation.
Of critical importance was a rapidly approaching series of exams where a holistic vendor risk management posture was required to be demonstrated. Complicating this requirement was the loss of key personnel from both organizations that had historically maintained vendor management solutions and records or held key vendor relationship assignments. In addition, the data extract from the non-surviving vendor management solution required data management expertise to become usable for the conversion effort, and was acknowledged as incomplete and outdated, as boxes of physical records would require review.
This is why CMPG was engaged to lead this effort:
- Evaluate and parse the data extract
- Develop a plan to identify and track vendor relationships and documents that required conversion
- Establish a process to search physical records for missing or incomplete documentation
- Train new staff on vendor management disciplines and the surviving vendor management solution
- Identify High Risk vendors within the converted portfolio
- Update Due Diligence documentation on the converted portfolio
- Work in unison with assigned relationship owners of the converted vendor portfolio to complete a Vendor Risk Assessment
The project focused on ensuring all documentation and contract records available from the acquired institution, either electronic or physical, were brought into the surviving vendor management solution. A policy review was undertaken to ensure proper assignment of responsibilities, and to initiate collaboration efforts on Vendor Risk Assessments internally and with vendors.
- Which documents and contracts should be kept for archive purposes?
- How has the addition of multiple new contracts with pre-existing vendors changed their risk profile?
- Where is there opportunity to take advantage of the combined scale in future negotiations?
- Which key documents (financial statements, control audits, insurance certificates as examples) need to be obtained and reviewed?
- Which documents, while initially deemed available, are incomplete?
- Who should be tasked and held accountable to answers questions on specific risk aspects of the vendor relationship, (i.e., who is the subject matter expert)?
A plan was drafted that allowed the completion of the project over a 90 day period. This included:
- A conversion of over two hundred surviving vendor contracts and over a thousand associated documents into the acquired vendor management portfolio
- A revision in policy on the application of vendor risk assessments
- An updated Information Security Questionnaire to facilitate vendor and internal collaboration
- An update of Vendor Risk Assessments for all surviving vendors
- A post-project departmental program plan for the continuation and maturation of vendor management across Performance Measurement and more formalized Vendor Risk Management Governance