We’ve discussed so many parts of third-party risk management, but no segment of the discipline has the potential downside that is contained in the compliance department. Third-party vendor management compliance is a major component of any robust vendor risk management program and especially so in the financial, healthcare, and cybersecurity industries.
Whether we’re talking about compliance with the NIST Cybersecurity Framework, ISO 27001, or the Bank Secrecy Act and anti-money laundering standards, the nature of vicarious liability means that not only can you face penalties for the actions of your own enterprise but those of your third and fourth-party vendors as well. A failure in any one of their compliance efforts becomes a serious problem that your agency now needs to answer for as well. Enforcement actions can be taken against your enterprise solely for the actions or failures of your vendors. So how do we effectively manage the compliance risk posed by vendors, and what due diligence procedures are going to be the most effective?
Where Do We Start?
Managing risk effectively always begins with identifying potential risks. Third party risk assessments are the very cornerstone of any vendor management program, and this is even more true when applied to an industry with compliance concerns. But this is not where managing your firm’s vendor compliance risk truly begins. To identify the potential compliance risk facing your company, you must begin with an enterprise risk assessment.
Once you have isolated the compliance concerns that are applicable to your particular market space, you can begin to better evaluate how your vendors mitigate those risks or potentially expose you to more of them. Some global organizations may present as high-risk vendors simply because of “country risk” due to the areas they operate in. These are all factors that you must do your best to account for.
Specific Risk Concerns
Global organizations may have thousands of vendors to manage while small to medium-sized companies face entirely different challenges. With fewer employees, risk management becomes even more difficult, or it may even be outsourced to a third-party vendor itself. Regardless of business size, there are a number of risk and compliance concerns that are universal.
Regulatory or Compliance Risk
This is one of the fastest expanding areas of risk as more and more regulations are enacted globally. Many of these are focused on data privacy and security, but they are not the only target of increased international regulation. Even within nations, many states or provinces have begun enacting their own data privacy laws like California’s CCPA which closely mirrors the GDPR. That adds another layer of risk assessment that must take place in order to closely examine the market space your vendors will operate in to identify applicable regulations.
Trade sanctions are another area of increased regulation, and severe penalties can result from just a single violation. The US Office of Foreign Assets Control is one such regulatory agency that has recently taken action against an enterprise for due diligence failures with regard to one of its third-party vendors.
The Office of Foreign Assets Control publishes and maintains a number of lists that designate nations and parties that US persons and businesses are prohibited from having dealings with, among other tasks. The Specifically Designated Nationals and Blocked Persons list is the most extensive list maintained by OFAC, and it is comprised of entities that any US corporation is entirely prohibited from having any business dealings with whatsoever.
In March of 2021, OFAC took enforcement action against UniControl as a result of trade goods that they shipped to vendors in Europe. Those vendors later reshipped those goods to parties in Iran, and OFAC determined that UniControl should have been aware of that likelihood and subsequently known they would have been in violation of trade sanctions against Iran by completing the transaction.
In the age of the internet, news spreads more quickly than ever before, and negative news spreads the fastest of all. A data breach by a fourth party could lead to your third-party vendor’s systems being compromised. That negative news can then snowball to have a significant effect on your own business.
The breach of a business related to a financial institution such as a mortgage lender or loan originator is a perfect example. Even if no data related to the clients of that financial institution is affected, nearly every news story is going to lead with that attention-grabbing connection. A key metric to consider when evaluating reputational risk is security scorecard ratings. This can give you advance warning of a potential vendor that is not currently up to par with what you are looking for reputation-wise or from a security posture standpoint.
Environmental, social, and governance risk refers to a specific area of risk that can be part regulatory and also part reputational. There are nations that have codified certain requirements for green energy or prohibited dealings with companies operating in countries known for human rights violations. In such cases, those ESG concerns would fall more in line with regulatory risks. However, even if your enterprise operates in a country without regulations in that space, you can take serious reputational damage if it’s found that down your supply chain there are instances of unlivable wages, environmental pollution, or excessive greenhouse gas emissions.
Due diligence and holistic risk assessments have never been more critical. Identifying vendors with the potential for ESG risk is the most important step to take. Standard risk assessment questionnaires are not likely to cover the breadth of possible risk exposures that you could be facing, and if you can adapt your screening procedures, you may even be able to partner with like-minded corporations to further enhance the social and educational opportunities within their region.
Bringing The Pieces Together
There are many moving parts when it comes to third-party vendor management compliance. It may seem hopelessly difficult to account for all aspects of compliance risk that you may be facing, but there is good news. As we have always recommended, adopting a whole enterprise risk management approach is your most efficient way forward. A broad-spectrum look at your risk profile and risk appetite will identify compliance risks.
Once you have identified the applicable risks, you then need to factor them into your vendor risk management processes. Some businesses continue to operate with their heads in the sand, but the fact that you are here and reading this now means that you’re already one step ahead. We’ve hit on risk assessment and identifying risks, but the task of managing third-party risk doesn’t end there.
Onboarding and Contracting Tasks
When you have selected your vendors, it’s critical to have a clear and structured onboarding process. This should establish the basis for the third-party relationship, and make clear that your vendors understand your policies on data security, regulatory guidelines, and all of the other factors that we have discussed.
With contracting, building these same expectations into the contract can make the importance crystal clear to your partners. Establishing key performance indicators that include those expectations will further reinforce their importance as well as let your third parties know that compliance concerns will be a part of your enterprise’s continuous monitoring efforts.
Continuous Monitoring and Offboarding
If you have laid out those KPIs as recommended in the contract, the next step is to actually hold your vendors accountable for them. In addition to your standard continuous monitoring efforts, it’s critical to provide feedback to your third parties on their performance and how it measures up to what is expected.
When it comes to offboarding, this is the time to ensure that no compliance issues rear their heads due to a failure to secure data that former vendors should not have even had continued access to. When the time comes to part ways, verify that protected data is returned, destroyed, or retained as necessary and in compliance with all regulatory requirements.
Implement, Review, and Improve
No vendor management program is perfect, and waiting for perfection will result in never getting started. Once you have a framework that takes into account a fair portion of your risk and compliance concerns, the best thing to do is start applying it. That will allow you to evaluate its effectiveness, make adjustments as you see what does and does not work, and then improve upon what you have built.
This also serves to keep your employees and vendors in a position to pivot quickly as challenges emerge or you adjust your program. That can be a key ability as additional regulations and requirements are implemented by governmental agencies, or new risks present themselves that were previously unaccounted for.
Third-party risk management is an ever-changing field that requires a wide range of skills. Whether you’re a global entity or a small business, it may be that you choose to look to experts to establish your vendor management program. At Venture Lynk, the key risk indicators for vendor management are our bread and butter. Let us design an effective and efficient vendor risk management program for you.