The Case for Vendor (Third-Party) Management

The rules for compliance and governance are pushing companies to become experts in more and more areas. Not only does a department have to know their own function, they need to know how what they do fits within the entire organization all while keeping up with any legal or standards changes. 

HR regulations (HIPAA, etc.) require HR, Legal, and IT to work together. Financial regulations (PCI, SOX, etc.) require Finance, Legal and IT to work together. Privacy laws (GDPR, CCPA, etc.) require the Privacy Department to work with Legal, Marketing, and IT as well as educate everyone in the company in their role in protecting data. IT also has to supply the infrastructure (physical and electronic) to support these activities, as well as normal day to day operations. They have to do this while implementing security standards that protect everything without impacting the customer experience or employee productivity.

Companies now have to be experts in setting up and maintaining physical infrastructure and security. They have to be experts in system software, networking, firewalls and other defenses, security (authentication, access management, etc.), secure software design and implementation. The list goes on and on. 

One way that many companies are addressing this issue is to outsource all or part of these activities to vendors (third-parties). While this does mean that the company no longer needs to be an expert at everything, they still have the responsibility to ensure that the vendor they choose still fulfills compliance and governance requirements. Unfortunately, many companies are simply hiring vendors to fulfill functions without ensuring that the vendor they are selecting is trustworthy or even capable of protecting the data shared with them. This doesn’t remove the risks of non-compliance, it just moves the source of the failure outside your control while leaving you with all the responsibility when something happens.

Having a robust vendor risk assessment process will help reduce the risk of failure while still engaging with the experts required to effectively and efficiently service your customers. The main parts to an effective Vendor Risk Assessment process are: Vendor Risk Assessment, Vendor Due Diligence, Contract Management, and Issue Management / Vendor Supervision.

Vendor Risk Assessment covers identifying all the known and unknown (Shadow IT) vendors / potential vendors and then determining a path to review each one. This review should include a risk evaluation that would help determine the criticality of the vendor’s service and therefore the frequency of re-review. The minimal re-review period is contract renewal. Additionally, how the vendor fits in with the overall company architecture (IT, staff, etc.) is critical. Finding out that the vendor can’t work with your systems or clients later on will cost significant time and money to the company. 

Vendor Due Diligence covers gathering all the required documentation from the vendor and reviewing it to ensure that any company requirements are met. This review is a reasonable inquiry into a vendor's ability to meet the requirements for the proposed service, as well as security and regulatory requirements. The degree of due diligence required in selecting a vendor will depend on the results of the initial Vendor Risk Assessment. Due diligence for a low risk vendor may be nominal, while high risk vendors require more thorough due diligence. 

Contract Management covers input into the company’s legal agreements with the vendors. The level of detail and relative importance of contract provisions will vary with the scope and risks of the services and products provided. All other aspects of contract management such as language, approval and renewal, cancellation and file retention, are addressed by the Legal department. However, certain inputs (insurance requirements, privacy requirements, etc.) are driven by the business and need to be shared with Legal for their inclusion in the contracting process.

Issue Management / Vendor Supervision covers tracking the issues uncovered during due diligence until they are closed as well as monitoring vendor performance during their execution of the contract. Issues discovered during the vendor assessment process should be recorded, assigned to the appropriate business owner, and tracked to completion. Completing an issue requires either that 1) the vendor remediate the issue, 2) the Business Owner accept the risk, or 3) the vendor is terminated and replaced by a vendor with a lower risk profile. All of this must be done in a timely fashion to ensure the overall company risk profile is kept as minimal as possible. Vendor performance monitoring should be done according to company policy with feedback to the vendor on any deficiencies or challenges. 

Adding a vendor can either hurt your risk profile or help it. Picking a vendor without the proper preparation opens the company up to customer issues, data breaches, fines and lawsuits. Following a rigorous vendor selection, management and tracking process can help reduce your risks, increase your performance, and add best of breed services for your customers.