Vendor risk management is growing quickly in importance as organizations expand the role and reach of the vendors they use. In their report titled Predicts 2017: Critical Investments in IT Vendor Management Will Enable Growth and Control, the research firm Gartner noted that vendor risk management is continuing to grow as a business discipline and is being “fueled by demands to not only improve vendor contracts and performance, but also to mitigate vendor risks.”
The expansion of digital business, growth of cloud services and increasing regulatory scrutiny of third-party vendor relationships are just a few factors placing a heightened focus on vendor risk management. But not every vendor relationship is created equal. A true, risk-based approach requires organizations to first segment their vendors based on pre-determined criteria, and then establish an appropriate level of ongoing due diligence and oversight activities based on the assigned level of risk. And while the specific activities may vary across organizations, there are five types of risk you want to be sure to address.
1. Data Security and Cyber Risk
No area of vendor risk management is hotter right now than cyber. Vendors continue to be at the center of a growing list of high profile data breaches. Recent stories about Goodwill Industries, Bronx-Lebanon Hospital Center and Jimmy John’s Sandwiches have (unfortunately) filled the headlines. And it doesn’t look like the problems are going to slow down any time soon.
This is a complex area that requires coordination between stakeholders responsible for IT, security, compliance, legal and finance. The most important thing to do here is ensure there is a comprehensive and clear vendor oversight plan for all vendors that collect, process, manage and/or store data. You need to get the right stakeholders to the table, and you must ensure you have a clear and consistent process for managing these high-risk vendors. You also need to ensure you’ve addressed important contractual issues up front such as data ownership, service levels and indemnification.
2. Contractual Risk
Speaking of contracts, they continue to be a major risk area for most organizations. Since they are oftentimes left to the business owners to negotiate, they don’t always incorporate the necessary risk mitigation clauses that they should.
A simple way to reduce your contractual risk with vendors is to establish standards around contractual clauses, and to create a process that ensures all contracts are reviewed against those standard clauses before they are signed.
Further, you need to get visibility into contracts by implementing a contract management system. I’m amazed at how many organizations have no central system to facilitate the management of their vendor contracts. A contract management system will centralize information, provide visibility into key dates, terms and conditions, and allow you to proactively manage compliance. These systems are relatively inexpensive and, in my opinion, a no brainer for an organization of any size.
3. Regulatory Compliance Risk
Regulatory compliance risk is the risk that a third-party will violate a law or regulation that your organization (or an outside agency) has placed on them as a requirement for doing business with you. This is becoming an increasingly hot topic in many industries. Organizations like health plans, healthcare systems and credit unions, along with those that receive federal grants, are heavily regulated by federal agencies. And in many cases certain regulations pass through to third party vendors.
If you’re in this boat you’ll want to ensure your vendor risk management activities enable you to evaluate how well your vendors are complying with the appropriate laws and regulations. This might include regularly determining whether vendors are aware of both new and existing regulations, and that they have policies and procedures in place to implement them. Data privacy is of particular interest to regulators making it important to ensure compliance with laws, regulations and best practices proposed by the regulatory bodies.
4. Operational Risk
Operational risk is the risk that your organization will experience a major hiccup (or shutdown) of some segment of your business if a vendor’s processes, people or systems fail. Operational risk goes hand in hand with your reliance on a vendor, and is typically higher with vendors that provide services such as outsourcing, IT systems and data.
There are two good ways to mitigate operational risk: perform periodic on-site and/or due diligence reviews, and create a contingency plan should you experience a failure with a risky vendor. These two risk-mitigation activities go hand-in-hand, especially for mission-critical vendors.
5. Financial Risk
Financial risk is the risk that your organization is negatively impacted financially due to a vendor relationship. This can come in two forms: excessive costs and lost revenue.
The risk of excessive costs tend to get the most focus. Most organizations have become adept at managing competitive solicitations and negotiating good pricing. But negotiating a good price has little to do with managing costs, which comes from enforcing contract compliance, effectively managing the procure-to-pay cycle and performing periodic cost and contractual audits. It’s the work done after the vendor contract is negotiated that mitigates the risk of excessive costs.
The other financial risk relates to the reliance on vendors who support your own revenue-producing activities. Examples include fundraising companies, outsourced service providers and fulfillment centers, to name a few. It may also include vendors whose technologies you use to process financial transactions. Problems with these vendors may delay access to revenue or, in the worst cases, result in lost revenue for your organization. It’s important to identify and segment these types of vendors to design the most appropriate diligence and oversight activities, and to also integrate with your operational risk planning as it relates to contingencies.
There’s no shortage of risks when it comes to your vendors, but remember: risk varies from vendor to vendor. The key is to carefully assess risk so you can properly segment, and efficiently manage, your most important and riskiest vendors.