The unfortunate truth is that third-party data breaches are becoming more widespread.
Organizations are increasingly outsourcing functions to third parties in an effort to focus more on their own business goals and objectives while lowering costs and taking advantage of the knowledge and expertise third parties can provide.
It seems like a win/win—and it can be—but it’s important to understand that the inherent risks posed by using third parties is often overlooked or underestimated.
That’s where vendor management best practices come in.
Why Do Vendor Management Best Practices Matter?
Although an organization can outsource functions to third parties, it can’t outsource its responsibility.
What I mean is that a company that outsources anything to a third party is still charged with knowing the functions provided by the third party, the risks associated with those functions and how those risks relate to their organization.
Data breaches may occur as a result of a third-party’s security failure; however, the organization with the information that is breached suffers the reputational and financial burden.
In short, if one of your vendors falls victim to a data breach, your company’s data will be compromised, so it’s important to know how to implement vendor management best practices in order to mitigate that risk.
The Six Vendor Management Best Practices to Implement
If your business is still wondering why vendor management is critical, or if you don’t know where to start, the following six vendor management best practices can guide you through creating and implementing a plan to protect your company.
1. Adopt a formal vendor management program and create a vendor management policy
Organizations should adopt a formal vendor management program in order to reduce or mitigate risks.
In addition, one of the best vendor management best practices to implement is maintaining documentation of all the vendors being used by an organization. This reduces the “single point of failure” risk sometimes associated with personnel who have all the operational information in their heads and not written down.
A vendor management policy should be developed that outlines procedures for selecting vendors, ranking vendors, performing vendor risk assessments and due diligence procedures and ensuring appropriate language and requirements are included in the vendor contract.
2. Assign a team to oversee vendor management
Tone at the top is essential in demonstrating a commitment to vendor management best practices.
Ideally, for the vendor management process to operate effectively, management should start by assigning a team to oversee its creation, implementation and ongoing monitoring.
This team should have the full backing and support of executives and owners. Team members might include a member of management, staff members from the related business units or departments who will be working with the vendors, Information Technology (IT) personnel and compliance personnel
3. Create a vendor risk assessment matrix
A list of vendors and the services they provide should be developed and maintained, and the organization should create a vendor risk assessment matrix to assess the criticality of each vendor based off the associated risks.
The vendor risk assessment matrix might include the vendor contact, date of initial contract, renewal date, name of employee assigned to manage the vendor relationship and an overall risk ranking.
Typical risk rankings would include high, medium and low. High-risk vendors could be those who:
- Provide services critical to the company’s operations;
- Have access to company systems or sensitive data (PHI, PII, etc.);
- Provide services with no backup or contingency plans;
- Will have the ability to alter/modify your data;
- May utilize a third party for data processing (fourth party to you); or
- Have the potential to expose the company to financial, operational or reputational risks.
The assessments might include the rankings in tiers that outline the specific due diligence required for each tier and whether it should be reviewed only at onboarding or on a periodic basis (e.g., quarterly, annually).
Below is an example of a vendor risk assessment matrix that outlines information that needs to be tracked and monitored.
4. Perform vendor management due diligence procedures
For high-risk or critical vendors, due diligence procedures should typically be performed during the onboarding process and then at least annually to routinely check for changes or additional risks.
Potential due diligence procedures may include a documented review of the vendor’s financials, System and Organization Control (SOC) reports or other independent internal control reports.
Note that some of the more prominent vendors, like Cloud Service Providers or CSPs, may have SOC reports issued more frequently (e.g., semi-annually) so ensure all applicable reports are reviewed and evaluated.
If a SOC report is not available, the vendor could be required to complete a detailed vendor questionnaire, which would include information about their reputation, security and stability.
Other vendor management best practices relevant to due diligence might include researching the vendor’s reputation in the industry and initial and periodic on-site visits to observe operations, personnel and security measures.
5. Evaluate vendor contracts
Another important best practice is ensuring that the vendor contract is adequate and that it sufficiently addresses the appropriate areas.
This contract and/or service level agreement should state the service commitments and pricing completely and accurately, and any questionable terms should be clarified in writing early in the process.
Other critical details to consider including in the contract would be:
- Business continuity/disaster recovery procedures;
- Breach notification and incident response procedures;
- Data protection and ownership;
- Confidentiality or security requirements;
- Contingency plans upon contract termination; and
- Right-to-audit clauses.
Another vendor management best practice is to have a legal representative involved in the contract process to ensure all regulatory and compliance issues are addressed and to provide insight into any issues that might lead to legal disputes or settlements.
6. Monitor vendor activity
Ongoing monitoring of the vendor should be performed to track the vendor’s performance of stated service and security commitments and any other contractual requirements, such as maintenance agreements or help-desk services.
This knowledge will be helpful in discussing any issues or preferred changes upon contract renewal.
Moving Forward with Vendor Management Best Practices
There is no perfect standard for vendor management best practices and procedures.
The key to vendor management programs is being aware of the risks that third-party vendors pose and taking the necessary steps to understand, accept (where necessary) and mitigate those risks.
This article was originally posted on August 9, 2019 and was most recently updated on May 18, 2022.