Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring creativity and discipline to finding solutions for even the most complex challenges his clients face.As we have discussed in previous blogs, the focus on vendor relationships and the risks and responsibilities associated with them, is evolving rapidly. At the time of its birth, vendor management was near synonymous with cost management. This perspective was not only close-minded, but also destructive, as organizations neglected to uproot the value that their vendors could have provided.
Vendor Management reached a new level of importance when regulations began popping up in the past decade and compliance became a new motivator to control these relationships. While managing costs and compliance drew more attention to the potential untapped value available from vendors, these factors still failed to reveal the whole picture.
Thanks to the increased practice of sharing private and vulnerable data with vendors, risk is now the main motivator. This third piece to the puzzle brought more structure and consistency to the vendor management process, as organizations began to observe the risks presented by their vendors in a holistic manner. In order to properly evaluate risk, risk assessments must be performed on every vendor, and they should be segmented into tiers of risk based on these assessments. This process requires that organizations get to know their vendors more closely, which in turn increases transparency.
Have you decided which vendor risk keeps you up at night yet? According to the results of a survey conducted during our webinar, 41% of our viewers were most concerned about their vendors falling victim to a data breach.
Data breaches have certainly drawn more and more attention towards vendor management over the past five years or so, and for good reason. Results from a recent Ernst & Young study highlight that 30% of surveyed organizations have experienced a breach caused by a third party within the past two years.
In response, regulators are attempting to ensure that organizations have the tools (such as the SOC for Cybersecurity) to deal with this, as well as the means to proactively mitigate vendor risks. However, this is but one of many areas that vendors present risk to an organization. We will list some of the others below.
6 Important Risks to Manage with Vendors and Other Third Parties
- Strategic Risk – risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with stated strategic goals.
- Reputation Risk – risk arising from negative public opinion. Third party relationships that result in dissatisfied customers, interactions not consistent with policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information and violations of laws and regulations.
- Operational Risk – risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
- Transaction Risk – risk arising from problems with service or product delivery.
- Compliance Risk – risk arising from violations of laws, rules, or regulations, or from intentional or inadvertent non-compliance with internal policies or procedures or with company business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.
- Information Security Risk – risk arising from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.
Once organizations have identified the types of risks that their vendors present them, the next step is to mitigate them by developing a set of standardized vendor risk management procedures. An ideal process should look something like this for each vendor:
- Conduct due diligence during sourcing.
- Perform a risk assessment and identify an appropriate risk rating.
- Implement risk-averse contract provision.
- Periodically evaluate the vendor to ensure the risk rating has not changed.
Going through this process of due diligence, risk assessments, and ongoing oversight allows organizations the chance to understand the separate stages inherent to the vendor management framework. In doing so, risk has become an effective motivator in pulling attention towards vendor management, especially when combined with the ongoing concerns of cost control and regulatory compliance.
While vendor management has matured significantly in the past decade or so, there’s still one piece of the puzzle missing – a focus on the untapped value of vendors. Once this perspective is adopted, organizations can finally begin to take a disciplined and holistic approach to controlling costs, facilitating compliance, mitigating risk, and driving value out of vendor relationships.
To learn exactly how to mitigate risk and develop a structured vendor risk management program, be sure to reach out to us with additional questions.
