If there is one thing the pandemic of 2020 has taught us it is to expect the unexpected and effective risk mitigation tactics are what is needed to successfully navigate your way through this crisis. In an ironic way, Third-Party Risk Management is very much the same. If your organization takes an ad hoc approach to managing your third-party vendors/suppliers, it is likely that many unforeseen risks can create a negative impact on your company.
It only makes sense that you adopt a best-practice approach to third-party risk management and central to this approach is to follow a proven framework, a lifecycle approach to managing these relationships with total confidence.
The Merriam-Webster Dictionary Definition of framework is a basic conceptional structure (as of ideas). They reference the “framework of the U.S. Constitution” as an example. At Vendor Centric, we architected our Vendor Management Framework as the “North Star” of our approach to helping our client create third-party risk management (vendor management) programs.
To effectively manage your third parties, it is essential that your framework ensures you have controls and key activities at every stage of the relationship including:
• Risk & Due Diligence
• Contract & Risk Management
Below are more details on each of these important stages.
This is where the process begins and the most important thing you can do is to ensure you select the right vendor and solution for each unique set of business requirements needed to meet your operating mission.
Risk & Due Diligence
Before you enter into a contractual agreement with a selected vendor, it is vital to evaluate and mitigate potential risks before entering into a contract. This is often a stage that is overlooked as speed to market concerns tend to dictate executing contracts quickly to meet the demands of the business.
Having legal and risk management professionals involved with business owners from contract authorizing and execution will ensure you have all of the necessary clauses required to effectively balance the risk and detail the responsibilities under the agreement between your company and your third-party.
This is a very critical stage in establishing the operational relationship with your new third-party vendor(s). Here you create the foundation for how you will manage the overall relationship but also begin your third-party risk management journey. Engaging stakeholders and communicating the operational and oversight activities required will ensure you will consistently mitigate risks and ensure compliance while optimizing their performance serving your company.
Contract & Risk Mitigation
One thing many organizations overlook is that doing a great job in contracting doesn’t end when all of the signatures are captured on the agreement. A best practice approach to include your third-party risk management program is having a vendor management system with contract lifecycle management functionality built in or a standalone contract management system. This will ensure you have ready access to the meta data and important clauses within your contracts so you can proactively manage to the agreed upon service levels and budget.
It will also enable all of your ongoing risk mitigation activities. Another best practice is to ensure you include ongoing monitoring tools into your program. Risk is a 24/7 – 365 activity and point in time due diligence is no longer sufficient to effective third-party risk management in 2020 & beyond.
This is an often ignored but critical stage in your third-party risk management framework. With the heightened importance of protecting data and confidential information about your customers and your company’s internal operations, offboarding has to be integrated into your contracts and operational activities.
You should detail your offboarding requirements into your contract and have formal procedures for how you will follow the contracted requirements to ensure offboarding is executed each and every time.
In the end, following a third-party risk management framework will help your company bring confidence to your customers, employees, executives, board members and investors that your take seriously the responsibilities to serve their needs and protect their interests. Companies that follow a third-party risk management framework tend to be successful because they are not only are talking the talk but also walking the walk.
Having a framework backed with a policy and formal procedures is like going on a long road trip with an itinerary detailing all of the activities you will do on the trip and a GPS to ensure you can get where you are going in the most efficient way possible. With technology today, you can be alerted to roadblocks and delays along the way much like risk monitoring tools can alert you to new risks and threats occurring with your third-parties.
As you begin your third-party risk management journey or need help assessing your existing third-party management process, here are the third-party risk & due diligence we provide. We are here to help!!
Author: Paul Schrantz
Job Title: Director of Business Development & Client Success
Organization: Vendor Centric