I was recently discussing vendor management with a client when he asked, “What’s the big deal with vendor management? Why is this such a hot topic right now?”
The simplest response to this frequently asked question is that, although an organization can outsource functions to third parties, it can’t outsource its responsibility.
What I mean is that a company that outsources anything to a third party is still charged with knowing the functions provided by the third party, the risks associated with those functions and how those risks relate to their organization. Data breaches may occur as a result of a third-party’s security failure; however, the organization with the information that is breached suffers the reputational and financial burden. In short, if one of your vendors falls victim to a data breach, your company’s data will be compromised, so it’s important to know how to implement vendor management processes in order to mitigate that risk.
Why Businesses Need Vendor Management Strategies
The unfortunate truth is that while many companies are still asking questions about why vendor management matters, third-party data breaches are becoming more widespread. Results of the Opus and Ponemon Institute’s 2018 Third-Party Data Risk Study revealed the following:
“59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent—up 5 percent over last year’s study and a 12 percent increase since 2016. What’s more, many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months. Overall, more than three-quarters of organizations believe that third-party cybersecurity incidents are increasing.”
Organizations are increasingly outsourcing functions to third parties in an effort to focus more on their own business goals and objectives while lowering costs and taking advantage of the knowledge and expertise third parties can provide. It seems like a win/win—and it can be—but it’s important to understand that the inherent risks posed by using third parties is often overlooked or underestimated.
Steps to Create and Implement a Vendor Management Strategy
If your business is still asking why vendor management is critical, or if you’re looking to implement a vendor management strategy but don’t know where to start, the following six steps can guide you through how to create and implement a plan to protect your company.
1. Adopt a formal vendor management program and create a vendor management policy
Organizations should adopt a formal vendor management program in order to reduce or mitigate risks. In addition, having documentation of all the vendors being used by an organization reduces the “single point of failure” risk sometimes associated with personnel who have all the operational information in their heads and not written down.
A vendor management policy should be developed that would outline procedures for selecting vendors, ranking vendors, performing vendor risk assessments and due diligence procedures and ensuring appropriate language and requirements are included in the vendor contract.
2. Assign a team to oversee vendor management
Tone at the top is essential in demonstrating a commitment to strong vendor management practices. Ideally, for the vendor management process to operate effectively, management should start by assigning a team to oversee its creation, implementation and ongoing monitoring. This team should have the full backing and support of executives and owners. Team members might include a member of management as well as staff members from the related business units or departments who will be working with the vendors.
3. Perform a vendor risk assessment
A list of vendors and the services they provide should be developed and maintained, and the organization should perform a vendor risk assessment to assess the criticality of each vendor based off the associated risks. The assessment might include the vendor contact, date of initial contract, renewal date, name of employee assigned to manage the vendor relationship and an overall risk ranking.
Typical risk rankings would include high, medium and low. High or critical vendors would be those who: provide services critical to the company’s operations, have access to company systems or sensitive data, provide services with no backup or contingency plans or otherwise have the potential to expose the company to financial, operational or reputational risks. The assessments might include the rankings in tiers that outline the specific due diligence required for each tier and whether it should be reviewed only at onboarding or on a periodic basis (e.g., quarterly, annually). Below is an example of a vendor risk assessment summary that outlines information that needs to be tracked and monitored.
4. Perform vendor management due diligence procedures
For high-risk or critical vendors, due diligence procedures should typically be performed during the onboarding process and then annually to routinely check for changes or additional risks. Potential due diligence procedures may include a documented review of the vendor’s financials, System and Organization Control (SOC) report or other independent internal control reports. If an SOC report is not available, the vendor could be required to complete a detailed vendor questionnaire which would include information about their reputation, security and stability. Other procedures might include researching the vendor’s reputation in the industry and initial and periodic on-site visits to observe operations, personnel and security measures.
5. Evaluate vendor contracts
Another important step in the process is ensuring that the vendor contract is adequate and that it sufficiently addresses the appropriate areas. This contract and/or service level agreement should state the service commitments and pricing completely and accurately, and any questionable terms should be clarified in writing early in the process. Other critical details to consider including in the contract would be business continuity/disaster recovery procedures, breach notification and incident response procedures, data protection and ownership, confidentiality or security requirements, contingency plans upon contract termination, change management and right-to-audit clauses. It’s also a good practice to have a legal representative involved in the contract process to ensure all regulatory and compliance issues are addressed and to provide insight into any issues that might lead to legal disputes or settlements.
6. Monitor vendor activity
Ongoing monitoring of the vendor should be performed to track the vendor’s performance of stated service and security commitments and any other contractual requirements, such as maintenance agreements or help-desk services. This knowledge will be helpful in discussing any issues or preferred changes upon contract renewal.
Moving Forward with Vendor Management
There is no perfect standard for solid vendor management practices and procedures. The key to vendor management programs is being aware of the risks that third-party vendors pose and taking the necessary steps to understand, accept (where necessary) and mitigate those risks.
For more information about vendor management, cybersecurity and what steps your business should be taking to ensure that your data is protected, visit Warren Averett’s Risk, Security and Technology webpage.