In a recent benchmarking survey on third party risk management, 72% of respondents said they “cannot produce a complete report of all of their third parties quickly and easily.”
While many people believe this information lives in their accounts payable system, the reality is it doesn’t. Nearly all a/p systems capture very limited information about paying your vendor, and absolutely no useful information about the myriad legal, compliance and risk obligations you need to understand and manage with the vendor.
Creating and centralizing profiles on your third parties is the only way to have the visibility, reporting and management capabilities you need to really know (and effectively manage) your vendors and other third parties. At Vendor Centric, we believe that the foundation of a solid profile requires three things.
- Tracking basic corporate information about the vendor.
- Knowing your contractual obligations so they can be managed.
- Understanding the risks to which you are exposed so they, too, can be managed and mitigated.
Here are some additional details on each.
1. Corporate Information
The foundation of your profile starts with capturing basic information about the vendor themselves. This provides visibility into the organization as well as the people with which you’ll be working. At a minimum, your basic vendor profile should include:
- Legal name
- DBA (doing business as) nameContact information (account manager, billing, help desk)
- Ownership structure
- Date of business formation
- Tax ID number
- DUNS number
- Special classifications (i.e. small, minority, woman or veteran owned)
2. Contract Information
Can you quickly and easily see all of the contractual obligations, terms and conditions you have with your third parties? Most organizations can’t. And that’s not good.Contractual obligations are serious ones. They obligate you and your third parties to a variety of financial and legal requirements. At a minimum your profile should incorporate the following contractual information:
- Contract owner
- Type of agreement (master services agreement, statement of work, addendum, etc.)
- Brief description of the contract
- Start and end dates
- Auto renewal provisions
- Termination requirements
- Notification dates for termination
- Service level agreements
3. The Third Party Risk the Vendor presents
The third component of a complete vendor profile is the identification of the key risks presented by the relationship. Each third party presents a different level of risk when it comes to risk areas such as reputation, operations, transactions and information security. Identifying the risk associated with each vendor by conducting a risk assessment will provide visibility into the appropriate level of due diligence and oversight you need to maintain.Some of the big risks you want to evaluate and capture as part of your vendor profile include:
- Does the third party collect, store and/or process confidential or sensitive data (e.g. nonpublic information)
- Will they be using subcontractors or other suppliers/services providers (i.e. fourth parties) in their delivery of services to you?
- Are they on any excluded parties or sanctions lists?
- Are any key executives on politically exposed persons (PEP) lists?
- Is there any pending litigation or bankruptcies that could impact the health of their organization?
Remember. Knowing these risks only provides you with visibility. A solid due diligence process is where you’ll dig deeper into each risk area to understand what your true exposure may be, and to ensure that you’re comfortable that the risk is being mitigated. This is where you can dig into things like financial health, employment practices and information security practices.