Executives Explore the Ins and Outs of Managing Vendors and Vendor Risk in Compliance-Intensive Industry

Bottom up view of a person on tightrope walking between buildings

Three executives from First Citizens Bank explained how they manage vendor and supplier relationships, including issues such as risk management and compliance, during a panel discussion at the 2019 Ward and Smith In-House Counsel Seminar.

The session was moderated by Paul Fanning, who leads Ward and Smith's Creditors' Rights Practice and is a North Carolina Board Certified Specialist in business and consumer bankruptcy law. 

Meghan Pridemore, vice president, default counselor, and manager of default litigation for First Citizens Bank, explained that managing vendor and supplier relationships usually begin with a manager who needs something.

"The business is going to drive what it is, where their gaps are or what they might need in a vendor to help them create efficiencies in a process," Pridemore said. 

As a first step, she often calls her colleague, Kate Garcia, vice president and senior manager of sourcing at First Citizens. 

"Once we get that phone call that says there is a need," Garcia said, "... we will go out and do some research." That helps the bank identify potential vendors and suppliers to meet that need, and usually leads to an RFP process to solicit proposals and choose the most competitive bid. 

That's when Melissa Alphin, the bank's senior manager of risk oversight and senior vice president, monitoring and reporting, gets involved.

Assessing Risk

For the bank, which is charged with protecting sensitive customer information and financial assets, and which is also subject to strict oversight and compliance, risk management is critical. 

Her team starts with a risk assessment that's completed by the business stakeholder at the bank. "That helps us identify inherent risks that we expect to be present in that engagement," she said. 

With those risks identified, the First Citizens team reaches out to the vendor (or vendors, if a winning proposal hasn't been chosen) and asks them to complete various questionnaires for different types of risk. With information from the vendor and the business stakeholder in hand, Alphin turns to subject matter experts at the bank to assess the risk, engaging with the vendor is likely to involve.

The bank is concerned about many kinds of risks. 

"Information security is always top of mind," Alphin said. "Cybersecurity, information security is a huge risk to the industry right now." 

Physical security, compliance, and business continuity are also top concerns, she said. The bank also examines what it calls "engagement due diligence," which can involve, for example, what vendors or suppliers the vendor might use, and whether those could, for example, lead to sensitive bank data leaving the country or being handled by another entity.

Business-Legal Tensions

Alphin and her colleagues, of course, have to deal with tensions between their legal and risk management duties and the goals and desires of the bank's business units. 

"There is a natural tension, at least in my mind, between the business side and the legal side," Fanning noted. 

Sometimes, for example, a business unit leader might prefer to use a small supplier he or she knows is going to deliver the quality of service needed — but because of the vendor's size, it may not be capable of passing the bank's risk management evaluation. 

"We developed what we call our limited scope agreements," Pridemore said. "For specifically these situations, where I find myself in what I would call a wonky jurisdiction — something that's not in my normal footprint."

For example, she said, what if a borrower moves to Montana and sues the bank from there. The bank might have just 20 days to respond, even though it has no business presence and no Montana law firm. 

"I am not going to be able to run somebody through a process that could potentially take up to three or four months," she said. "So, we have developed this more limited contracting that incorporates and accepts some of those risks." 

In one case, Pridemore said, a borrower had stopped making payments on a vehicle, and the bank wanted to repossess it. But the vehicle was parked in the Cherokee Nation, so it had to find a legal representative who could appear before the Cherokee authorities before the bank could take the vehicle back.

With all that said, Alphin said the bank has not had a lot of problems with businesspeople wanting to hire vendors who would present higher-than-normal risks. 

"We have done a lot of education and training on the importance of not bringing third parties on that present extreme risk to the bank," she said.

Managing Law Firm Relationships

Hiring law firms, the panelists noted, is a different process from selecting any of the other vendors a bank like First Citizens uses. 

"When you have other non-lawyer vendors, third-party vendors, they tend to all be large companies," Pridemore said. "But law firms come in all kinds of sizes. You can have your solo attorney. You can have your midsize firm. You can have up to a very large firm, and so they all inherently bring their own challenges."

Often, she said, the bank may have to choose from a larger firm that has the resources to comply with risk reduction practices or a smaller firm that may be geographically or otherwise better suited to handle a particular matter. 

That can make risk management a challenge. 

"Business changes very quickly," Pridemore said. "My impression is that the law tends to be a little behind that. I think the real challenge is 'Can the legal vendors move as fast as we do?'" 

For other smaller vendors, the bank often places the responsibility of managing risk on the manager or executive responsible for that area of the business.

"For example ... the manager of the appraisal department is accountable for vetting those [appraisers]," Alphin said. "We make sure there are procedures in place, that they are being followed to make sure that an adequate amount of due diligence is being performed that is commensurate with the risk that is being presented to the bank." 

That said, even with smaller vendors, Pridemore urges the responsible business owners to get them through the bank's full risk management process, even if it's difficult. 

"Then the due diligence and the oversight can be less," she said. "I then can just work with them and focus on the needs of the business."

Ending Vendor Relationships

There are times, the panelists said when the bank has to end a vendor relationship. 

"Just as finding the gaps and the need for the vendor starts with the business," Pridemore said, "deciding if that vendor has run its course or is meeting your expectations of the work that they promised they could do comes back to the business." 

Often, she said, it becomes pretty clear if there's a problem. 

"We know pretty quickly if a vendor has promised or overpromised, but then they can't deliver," Pridemore said. "They'll come in and do a dog-and-pony show because they want your business. And sometimes they're great, and sometimes what they promise just doesn't turn out to be reality."

"The sourcing team gets involved there and comes up with a strategy to exit," Garcia said. She added that the bank tries not to burn bridges when ending vendor agreements. 

"There's no need to do that," she said. "You don't know when you're going to need them again."

© 2024 Ward and Smith, P.A. For further information regarding the issues described above, please contact Hayley R. Wells.

This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.

We are your established legal network with offices in Asheville, Greenville, New Bern, Raleigh, and Wilmington, NC.

Subscribe to Ward and Smith