Businesses in the financial services, healthcare and nonprofit sectors are heavily regulated with regard to procurement, contracting and management of relationships with third party vendors. Complying with those regulations is critical. However, the days of vendor management being purely a ‘compliance’ issue are fading away. More and more organizations are elevating the conversation about vendor management from a focus on compliance to, instead, a focus on risk.
That was the sentiment from a panel of vendor management experts at the 3rd Annual Third Party Risk Management & Oversight Summit. Risk, compliance and vendor management professionals from Abercrombie & Fitch, Centene Corporation and Ionic Security shared their thoughts on some of the ongoing and emerging vendor risks that keep them up at night. Pay attention – you may just recognize many of these vendor risks in your organization too.
1. Data Management and Security Risk – In 2017, more cybersecurity breaches were reported than in any previous year. The panelists agreed these breaches are only going to grow in frequency and, most likely, impact. Knowing which of your vendors are going to collect and/or store data, and focusing heavily on how you’re going to monitor and manage data and security risks with these vendors, should be a major concern and focus for everyone.
2. Operational Risk – As reliance on vendors for critical business functions continues to increase, they collectively pose a significant risk to business operations for most companies. Mitigating these risks requires an understanding of key vendors’ own processes and operations, and insight into their health to ensure they can continue as a going concern.
3. Regulatory Compliance Risk – CMS, OMB, GDPR and OCC are only a few of the regulatory bodies that are targeting better management of third party vendors. Panelists agreed this is only the start, and regulatory compliance requirements for vendor management will continue to expand. It’s critical to integrate your compliance stakeholders into your vendor management program.
4. Geographic Risk – Abercrombie and Fitch sources from all over the world, and has identified 20 countries with a high risk profile. When they work with vendors in these countries, they perform additional upfront due diligence and expand ongoing vendor and contract oversight and management too.
5. Downstream Vendor Risk – An emerging area of vendor risk management is downstream vendors. For example, Centente Corporation (healthcare) outsources nearly all of the work required to deliver care and products to their insured members. This not only means they place a heavy reliance on their direct vendors, but also the ability of their vendors’ vendors (i.e. downstream vendors) to also deliver. Gaining visibility into these downstream vendors, and ensuring they are being risk assessed (and managed), is critical to ensuring consistency of quality care to their members.
6. Reputational Risk – While not a risk on its own, everyone agreed that the worst outcome of problems with vendors can be damage to the organization’s own reputation. Data breaches are a great example. The public and regulatory bodies don’t care whether or not third party vendors were involved – they care that the company they entrusted with protecting their information is doing so. And that requires proper oversight and management of their vendors.
Do any of these risks hit home with you? If so, now’s the time to evaluate your own vendor management program to ensure you’re able to identify, assign responsibility and mitigate these risks before problems arise – if they haven’t already.
This blog is part of a series on vendor management best practices and insights shared at the 2018 Third Party Risk Management Summit. More than 150 vendor management professionals from some of the most leading edge companies gathered to discuss this growing business discipline.
Vendor Centric specializes in helping organizations create and mature the policies, procedures and systems they use to manage their important vendor relationships. For more information about our vendor management software and services, visit us at www.vendorcentric.com.