At Vendor Centric, we’ve been advising companies about vendor risk management for years. But not too long ago, the concept of ‘vendor risk’ was one that many companies were just getting their arms around.
So exactly how did vendor risk management start to get traction? Here’s a little background on where it started and where it’s evolved to today.
Vendor risk management (also referred to as third-party risk management) started to really come into focus in 2008 when the FDIC issued Financial Institution Letter 44-2008 (FIL-44-2008): Guidance for Managing Third-Party Risk. The guidance was an inflection point for vendor management because it introduced the concept of taking a systematic, risk-based approach to managing vendors and other third parties.
The guidance also also established several concepts that have become fundamental to vendor risk management today such as:
- Performing risk assessments to understand inherent risks of new relationships;
- Conducting risk-based due diligence prior to contracting to evaluate a vendor’s controls and mitigating the residual risks remain;
- Following contracting standards to ensure proper risk transfer in legal agreements;
- Performing an appropriate level of ongoing oversight to ensure performance and manage changing risks over the course of the relationship.
Other regulators to the financial services industry like the OCC, NCUA, and FHFA followed the FDIC and issued their own third-party management regulations. In healthcare, the Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced which extended HIPAA rules to third-party “Business Associates.” And in the municipality and nonprofit sectors, the Office of Management and Budget issued the Uniform Guidance which, among other things, required that recipients of federal funding perform risk assessments and ongoing monitoring of their third-party “Subrecipients.”
States such as New York, South Carolina and California have also come out with regulations focusing on third parties, and more states are joining them each year. Some of these newer federal and state regulations expanded upon FDIC fundamentals to introduce other important tenets of vendor risk management including the need for:
- board and senior management accountability,
- cybersecurity standards,
- termination standards,
- periodic program reviews, and
- compliance attestations.
While the regulations came out at different times, and targeted different industries, they all had one thing in common: that companies need to take a systematic, risk-based approach to managing vendors in order to drive more value, and less risk, from these important (but risky) relationships. Risks like:
In today’s environment, if you’re not taking a risk-based approach to managing vendor relationships, you’re playing with fire. And if done right, you can get a new vendor management program up and running in 90 days or less. Download our eBook, How to Kick-Start Your Vendor Management Program, to learn how.