Cost savings remains a significant focus across all industries. One of the primary ways companies look to save money is outsourcing, shifting some of those costs to a third-party vendor. We've talked about it before, and this trend is increasing. It’s only shown signs of rising as these vendors outsource some of their work to other vendors.
Each of those vendor relationships places you at risk. Failure to adequately detect and address those risks will leave you open to civil, criminal, and regulatory penalties. These seven vendor risk management best practices will go a long way toward ensuring that your vendor risk management program is working efficiently.
7 VENDOR RISK MANAGEMENT BEST PRACTICES
KEEP AN UPDATED VENDOR FILE
Knowing who your vendors are is the absolute first step in any risk management process. Similarly, you need to track what product or service the vendor provides you with. This doesn't stop with just third-party vendors, either. Fourth-party vendors, or those contractors that your third-party vendors use to fulfill their contractual obligations to you, should be included and evaluated. You may need to move even further down the supply chain when assessing risk for certain critical vendors.
One essential tip to verify that your vendor file is complete is to cross-reference your vendor file with accounts payable. Ensure that each vendor receiving payment is listed and that none have slipped through the cracks over time.
DETERMINE RISK RATE AND CRITICALITY SEPARATELY
We touched on this briefly just above. Risk and criticality assessments should be independent of one another, and every vendor should be assessed for both. You may have a low-risk, critical vendor that needs to be enhanced due diligence because of the specific services that they provide, or you may find a non-critical but high-risk vendor relationship that may be better served by looking for alternate vendors entirely.
This assessment is integral to your vendor risk management program, and it doesn't stop at the vendor level. Each product or service that your third-party vendor supplies should be evaluated individually. Every vendor will have an overall risk and criticality rating and secondary ratings for each service or product category.
START THE ASSESSMENT PROCESS EARLY
This step is even more critical for vendor risk management for large businesses. Identifying high-risk vendors before entering into a contract with them will help you determine the need to monitor them or find other adequate due diligence procedures continuously. This could lead to alternate vendor selection or other contractual stipulations if they were selected.
Organization and preparation are even more essential when handling the sheer quantity of vendors that large businesses do. That's why starting this process during the solicitation phase is so necessary. A simple vendor questionnaire can go a long way toward completing an initial assessment, depending on the service provided.
DEVELOP FORMAL ONBOARDING AND OFF-BOARDING PROCEDURES
Having a structured process is paramount, but it doesn't need to be set in stone. A framework of an onboarding process for all vendors can set you up to manage a healthy vendor relationship with less stress. This is even more true when it comes to cybersecurity concerns. Clear expectations of what acceptable policies for your data on your vendors' systems and devices look like can save you a headache in the future. Having the vendor acknowledge and agree to comply with your information security procedures can also leave you a way out should issues arise.
Suppose your vendor is going to be handling customer PII. In that case, you may want to prohibit them from allowing employees to use personal devices to access the information or system as a whole. When it comes to off-boarding, ensuring data retention policies are in place. That appropriate data is being purged from the vendor's system in compliance with applicable regulations may provide additional liability protection for you.
CONDUCT ONGOING MONITORING
Not only is ongoing monitoring of your vendors a necessity, but leveraging technology to streamline the process is an absolute must for any large business. You should have agreed to KPIs that you can measure to track your vendor's performance during the onboarding process. In addition to continually assessing these KPIs, you must continue to conduct risk assessments at least annually and other due diligence tasks.
Companies like Microsoft have even developed their proprietary system where vendors actively participate in verifying compliance with agreed-upon standards. Programs of this nature are likely to be the way of the future as they are infinitely customizable once the hurdle of initial development has been overcome. Additional measurements or ratings are also out there that can be used to assist with this monitoring. One of those specific measurements is the subject of our next best practice.
APPLY SECURITY RATINGS TO THE RISK ASSESSMENT PROCESS
Security ratings are a company's cybersecurity threat threshold and credit ratings to a person's creditworthiness. Several independent agencies offer ratings of the security posture of vendors that you can use to assess their risk category further. This is a quantifiable metric that you can obtain without developing, sending, and evaluating questionnaires, conducting an on-site visit, or hiring another vendor to complete a penetration test. Even more importantly, traditional assessments are only valid at the point in time in which they are conducted. Still, security ratings are constantly updated and measure your vendor's ability to withstand attempted security breaches.
Data breaches are costly in terms of reputation and potential monetary penalties. The Target data breach in 2013 resulted from the compromise of a third-party HVAC vendor for a single retail store location. That compromised over 40 million debit and credit card numbers. The risk posed by lax data security cannot be overstated.
ESTABLISH CLEAR LINES OF COMMUNICATION WITH STAKEHOLDERS
The most robust vendor risk management process will fall flat on its face without the support of knowledgeable senior management and informed board members. No business decision occurs in a vacuum, and you're doing a disservice to your work and your team members if the decision-makers aren't entirely up to speed on the steps you are taking and your results.
This communication also includes your internal audit team, as they should become a crucial part of your risk management process. They can ensure procedures are being followed, conduct the matching of vendor lists with accounts payable, and be an overall force multiplier for your third-party vendor risk management team.
The expansion of the cybersecurity threat throughout so many different aspects of the supply chain has left many companies trying to play catch up. Cross-training risk management personnel in information security tasks or pulling IT employees into risk management can help. Still, none of those options provide you with subject-matter experts in cybersecurity and information security.
Venture Lynk Capital and Advisory specialize in wholly customizable vendor risk management services. We can provide assistance with onboarding, risk assessments, internal and external audit processes, and a comprehensive review of your vendors' information security policies and procedures. Our staff of military intelligence veterans knows how to uncover vulnerabilities that a standard vendor questionnaire could easily miss. For more information on our Vendor Risk Management services, schedule a call today!