When we speak about vendor and third-party risk management, we often think about managing risks after a vendor has been selected. The reality is that risks exist from the moment a business need is identified. Organizations nowadays rely more and more on third parties (think of the small business that uses Quick Books Online for their accounting needs… to the billion-dollar health system that relies on an outsourced IT provider to manage all of its technology). When the need arises to hire a new vendor, you need to be aware of the various procurement risks that exist.
Here are a few types of procurement risks that you may encounter, as well as suggestions on how to address each of them:
“We need a new software solution.” “We need to hire a vendor to help us.” These comments might sound familiar to you if you are involved in your organization’s procurement management process. Employees tend to have an easy time identifying when a third party may need to be hired to help solve a particular problem, but defining the exact requirements that vendors need to meet proves to be a much more challenging task. When you don’t explain exactly what it is that your organization needs, you increase the risk of:
- Under/over estimating the cost of the solution you are looking for
- Receiving proposals from vendors that wildly vary in scope and price (likely because the vendors didn’t truly understand your organization’s requirements)
- Procuring a good or service that doesn’t address the problem your organization is trying to solve (perhaps your requirements represented only one person’s needs, and not the needs of every stakeholder who will be impacted by the new vendor/solution)
- Creating a contract with a scope of work that is not clear, or that does not completely satisfy the business need
As you can see from the risks identified above, defining your requirements accurately can drastically improve the outcome of the entire procurement process. One of the best ways to improve the requirements development process is to increase stakeholder involvement. Stakeholder involvement ensures that everyone’s voice is heard, which in turn helps to incorporate various perspectives when drafting requirements. Create some guidelines for your staff to follow to help them think about the various people they may need to involve in the requirements development process, and you’ll already be on your way to a better (and less risky) procurement.
Exposure to Information Security Risk
There is typically a lot of “back and forth” with vendors during the procurement process before you ultimately enter into a contract. Depending on the specific product or service that you are procuring, that back-and-forth correspondence could result in the exposure of some of your organization’s non-public/confidential information.
For example, let’s say you are planning to procure a new software solution. You’ve already seen a generic system demonstration, but now you want to go a step further and load some of your real/live data into the system to see how it works first-hand (either via using a trial account or by providing the software vendor with some of your organization’s information to load into the system). This scenario presents a real information security risk. You could unintentionally provide non-public/confidential information to the software vendor before you even have a contract with them.
You can significantly reduce this risk, or eliminate it entirely, by putting some standards in place at your organization around data sharing during the procurement process. Perhaps you create a policy that only allows “dummy data” (fake data) to be shared with vendors when you are evaluating their product. If non-public/confidential data needs to be shared with a vendor during the procurement process, make sure to sign a Non-Disclosure Agreement with the vendor to protect your data.
Noncompliance with Procurement Regulations
Regulatory bodies exist for almost every major industry, and some regulations even explicitly call out procurement. For example, non-Federal entities (typically nonprofits) who receive federal funding must follow the Uniform Guidance (UG) procurement standards when expending federal funds. The UG procurement standards set requirements around methods of procurement to be used (i.e., RFQ vs RFP vs Sole Source), documentation needed (i.e., what records need to be maintained to sufficiently document the history of the procurement), and much more. If the UG requirements apply to your organization and you don’t comply with them, you could put your organization at risk of receiving an audit finding or even losing Federal funding.
While the UG procurement standards may not apply to your organization, you might need to comply with other procurement requirements that are specific to your own industry. Here are some tips for ensuring that your organization complies with requirements:
- Review the regulations that apply to your organization and create an inventory of all the various requirements with which you need to comply
- Map your existing policies and procedures to the regulatory requirements to see if any compliance gaps exist (i.e., requirements that are not sufficiently addressed in your organization’s polices/procedures)
- Update your policies, procedures and tools to ensure any compliance gaps are fixed
- Ensure that staff are provided with the proper training to ensure they understand how to comply with the requirements.
Procurement is the first step in the vendor management lifecycle, and it’s important that your organization doesn’t overlook risk at this early stage. Manage your procurements in a thoughtful and consistent manner, and you’ll reduce your organization’s risk exposure during the process!