As organizations grow and mature, they seek opportunities to gain efficiencies and offer increased levels of service to their customers. Organizations may elect to keep systems, development, and services in-house to retain control over proprietary information and protect customer data and system security. However, internal processes can be cost-prohibitive, as organizations may need to hire additional personnel with skills and experience.
Other organizations find value in external relationships with business partners who align with organizational goals, allowing the organization to focus on their business and customer needs. However, these partnerships also present risks that, if not managed properly, can compromise security and the safeguarding of sensitive organization and customer information. For these organizations, it is imperative to develop and implement a comprehensive program to evaluate and manage vendor risks.
An effective vendor risk management program identifies the risks and associated potential impacts throughout the vendor relationship lifecycle. This includes vendor identification and selection, contracting, compliance management, and vendor off-boarding.
Vendor Identification and Selection
As part of the vendor identification process, organizations need to perform adequate due diligence procedures for each prospective supplier. Procedures include the following:
- During the proposal process, require bidders to:
- Disclose adverse judgements against them.
- Provide examples of deliverables or reports for similar engagements, past/current clients, and references.
- Provide current System and Organization Controls (SOC) reports for contracts related to IT services. Check out our comprehensive guide to SOC reports here.
- Research prospective vendors by reviewing publicly available news articles or regulatory reports to identify incidents that have negatively impacted their client’s business.
- Utilize outside firms to conduct background checks of prospective vendors, key members of vendor ownership, and management to identify past incidents and areas of concern.
Organizations can also validate proposal information by performing the following:
- Reference checks that include questions regarding service delivery, timeliness, and quality and completeness of deliverable.
- Reference checks should also include questions regarding trouble/issue resolution, key personnel turnover, and any data safeguarding issues.
- Interviews with potential vendors to validate the information contained in the proposal and to verify experience through inquiry.
Organizations should also include controls, requirements, and checks into vendor agreements to help maintain compliance and meet expectations. These include:
- Service level requirements to define expectations, allow vendors to understand required performance, and provide measurable compliance criteria.
- Specific terms, timelines, deliverables, and penalties/chargebacks/liquidating damages for failing to meet them.
- Requirements for the vendor to maintain documentation; including workpapers, quality assurance reporting, external reports and assessments, and subcontractor invoices and payments.
- The right of the organization to review and approve subcontractors to ensure they meet the same expectations as the prime contractor/vendor.
- The right of the organization to audit vendor and subcontractor work and finances related to the performance of the contracted services.
Throughout the term of the vendor relationship, it is critical that the organization validate compliance with the programmatic and administrative requirements of the agreement. Elements of effective ongoing vendor management procedures include the following:
- Appoint a contract administrator, separate from the project manager, who is not directly involved in managing the delivery of the contracted products and services to oversee contract performance. The Project Manager is too involved in the completion of project tasks to be considered impartial. The Contract Administrator should be someone who doesn’t work directly with the vendor on a day to day basis. This segregation preserves objectivity and helps prevent relationship threats.
- The contract administrator should regularly monitor adherence with requirements including service level agreements, reporting content and deadlines, and regulatory compliance.
- Incidents of non-performance should be identified and communicated; associated penalties or chargebacks should be consistently enforced.
- The vendor should document remediation efforts to track future compliance, and report contributing factors to non-compliance that could present a risk to the organization.
- Require vendors to provide regulatory and industry reports throughout the term of the agreement to evidence continued compliance with requirements and the effectiveness of controls. Obtaining and reviewing this information will help confirm the vendor remains capable of providing effective control over potential risks.
- Exercise the right to audit on a periodic basis. Audits can help identify vendor control weaknesses such as a lack of proper quality control, or inadequate internal segregation of duties.
As the end of the vendor contract nears, the organization should ensure the relationship ends effectively by conducting vendor closeout exercises. These should begin prior to the end of the agreement and include:
- Ensuring all required notices have been provided timely
- Validating all deliverables have been received and accepted by the organization.
- Confirming that organization-owned assets/items/information, such as ID badges, keys, and laptops are returned or deactivated.
- Verifying that vendor access to proprietary systems and information has been disabled.
For organizations that increasingly rely on third party vendors, it’s important that the appropriate level of care and consideration is given to ensuring reputable contractors are selected and performance is closely monitored throughout the term of the agreement. Proper contractor management and oversight promotes high quality deliverables, risk mitigation, and an effective vendor relationship.
If you think that your organization could be doing more to effectively manage its vendor relationships, talk to your internal audit team, or an experienced independent advisor like SC&H Group’s Risk Management practice, to determine if additional contractor oversight may be appropriate. You can reach out to us if you’d like to learn more.