Now more than ever, managing risks is top of mind – especially those risks related to your vendor relationships. The risks that your vendors bring to your organization should be assessed, mitigated and managed as part of the regular function of your vendor management program. However, during uncertain times such as those we are in today, technology – specifically vendor management systems – can help you efficiently locate key vendor-related information right when you needed it most.
The COVID-19 pandemic is forcing organizations of all sizes, across all industries, to make changes to the way business is conducted. While your organization is altering its operations, it’s important to realize that your vendors are also likely doing the very same thing. This means that you need to be thinking about how the services provided by your third-party vendors (or the potential disruption of those services) could impact the day-to-day operations of your organization. While you may have hundreds (or even thousands) of vendors, you likely only rely on a portion of them for truly mission-critical services. For example, the software vendor you use to manage all of your customer and project information is more critical to your operations than the janitorial services company. It’s these critical vendor relationships that you really want to focus on. Some key vendor risk-related activities that organizations should be performing on an ongoing basis, but especially now, include:
- identifying the most mission-critical vendors;
- collecting, assessing and documenting the critical vendor’s business continuity plans;
- logging and managing issues that need to be remediated; and
- preparing internal contingency plans for critical vendors
Let’s take a look at these activities in more detail, and see how a vendor management system could support them.
Identifying Critical Vendors
Your organization may utilize the services of 10, 100 or 1,000 vendors. Each of those vendor relationships carries with it an inherent level of risk. Inherent risk is the level of risk that exists simply as a characteristic of the type of work the vendor performs. For example, a vendor who manages all of your organization’s network servers and has access to personal/confidential customer information is inherently riskier than the landscaping vendor who cuts the lawn every other week.
By using a vendor management system, internal Business Owners (those people who own the relationship with the vendor) can complete an online questionnaire where inherent risk is assessed. This is called an inherent risk assessment, and they usually contain under ten (10) questions that address the key areas of risk that are most important to your organization. Criticality, while related to but separate from inherent risk, can also be assessed through the use of such a questionnaire. Once responses from Business Owners are collected, you’ll have a record of the vendors who are critical to your operations, and those who are inherently high-risk. Reports can then be run to easily identify these segments of vendors.
Performing Due Diligence
Based on the vendors criticality and/or inherent risk level, you’ll want to perform the appropriate level of due diligence on the vendor before entering into a contract with them. Through the use of due diligence questionnaires, you can ask your vendors a series of questions that will allow you to assess their controls related to the risk you are most concerned about. With regard to critical vendors, something you’ll want to collect is a Business Continuity Plan (or pandemic plan).
Through the use of a vendor management system, you’ll not only be able to automate the process of collecting such plans, but you can also set up the appropriate workflow to have the necessary stakeholders and subject matter experts review them. Your system will also allow you to keep a historical record of your vendor’s responses to the due diligence questionnaire, and more importantly, you’ll be able to populate your vendor’s profile with an up-to-date inventory of key documents (such as their Business Continuity Plan).
Remediating Risk Issues
After you’ve collected and assessed your vendor’s response to your due diligence questionnaire, you may identify certain gaps in their controls that you are not comfortable with. If your organization is willing to accept the risk (rather than pursue an alternate vendor), a good practice is to log this gap in controls as a remediation item. A vendor management system will allow you to assign the remediation item to the appropriate stakeholder, set due dates to ensure the issue gets resolved and keep a historical record of exactly how it was resolved.
Documenting Contingency Plans
Now more than ever, making sure you have Contingency Plans for your critical vendors is paramount. Similar to the way in which a vendor management system can automate the collection of your vendor’s responses to a due diligence questionnaire, it can also be used to collect Contingency Plans that your internal Business Owners are responsible for creating. With the appropriate input from your risk management and business continuity stakeholders, you can establish an online for that asks the appropriate questions related to contingency planning, and your Business Owners can simply submit their answers.
One of our software partners, VendorRisk, provides a vendor management solution that is able to perform all of the key activities I’ve covered in this article. From maintaining an accurate inventory of your vendors, to being able to easily segment critical from non-critical vendor relationships, to utilizing online forms to collect the data that matters most… a vendor management system such as VendorRisk will allow you to effectively manage risk during uncertain times.