As businesses grow, the number of vendors they interact with on a regular basis expands accordingly. However, doing so brings an increasing level of risk, which must be carefully managed. Good practice vendor risk management (VRM) involves a structured and systematic approach consisting of the following three lifecycle stages – onboarding, ongoing monitoring, and offboarding.
A Vendor Risk Management Program
One of the drivers for implementing a vendor risk management program is the regulatory requirement or guidance to have such a program embedded in everyday practice. Even where regulators are not explicit on a VRM management program, it is implied through broader requirements to manage risks to your organization and to protect your stakeholders.
Particularly in the financial sector, specific regulatory requirements may only apply to material service providers, outsourced arrangements, or perhaps to providers in specific domains such as information technology or data processing.
For example, in the UK, the PRA supervisory statement SS2/21 on Outsourcing and Third Party Risk Management sets expectations for how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and third-party risk management to improve business resilience.
Despite Brexit, the FCA confirmed back in 2021 that the European Banking Authority (EBA) Guidance on Outsourcing Relationships and Guidelines on Outsourcing arrangements will continue to apply to financial services institutions in the UK.
The Three Stages Of Vendor Risk Management
This article will take a closer look at the three stages of VRM, what they entail, and how to combine them into a truly effective VRM program that mitigates the risks of working with vendors around the world.
Onboard New Vendors Methodically And Efficiently
The process of onboarding new vendors starts with initial identification and ends with the signing of contracts. It consists of several steps that organizations should follow to stay on top of the process.
The first step is to identify the vendors with whom the organization engages. This provides visibility and enables organizations to prioritize their VRM efforts as needed. It also helps avoid high-risk vendors and ensures a solid foundation for future risk management and monitoring activity.
If building a VRM program from scratch, finance records are a great place to start when it comes to identifying vendors or reconciling other data that’s already been collected. Once vendors have been identified, they should be tiered based on the potential risk they pose. This can be done using pre-defined categories such as strategic importance, business continuity, information security, compliance, and more.
Ultimately, not all vendors present the same level of risk, so they should be managed and prioritized accordingly to save valuable time and resources. Next comes the all-important due diligence, which will be informed by the initial tiering assigned to each vendor. Conducting this due diligence involves issuing vendors with tailored questionnaires from a standard library to enable a consistent approach.
One of the key benefits of conducting initial due diligence is that it allows organizations to identify potential risks before deciding whether to enter into a contract with the vendor. Doing so helps avoid potential financial losses, reputational damage, and legal liabilities further down the line. Once the vendor has the green light, there is a formal process of contracting and onboarding.
While it is likely to have already been addressed when discussing the initial business case with the vendor, now is the time to ensure clear expectations have been set regarding service level agreements, contractual obligations, and requirements regarding ongoing assurance activities. Signed contracts should then be stored in a centralized repository for consistency.
Ongoing monitoring is crucial
Ongoing due diligence is a critical aspect of vendor risk management but is often the weak link in a VRM program. It isn’t enough to ‘set and forget’ once the contract is signed. It is essential to continue monitoring their activities and risk exposure regularly. This process enables companies to detect any new or changing risks that may arise from the vendor’s operations or the business environment.
Some of the key areas that organizations should consider when conducting due diligence include SLA and compliance monitoring, contract renewals and updates, certifications and insurance, risk metrics, and incident management.
Naturally, it may not be possible to cover every area for every vendor, so organizations should use their vendor tiering system to ascertain how extensive their due diligence needs to be, based on particular circumstances.
Offboarding is just as important as onboarding
Offboarding is the process of terminating a vendor relationship while also mitigating any associated risks. It is an essential component of the vendor risk management process. It should be handled carefully to avoid potential data breaches or other security incidents that might occur long after the engagement ends.
Vendors might be offboarded for both positive and negative reasons. For instance, a project may have been completed, and the relationship has come to a natural end. Conversely, offboarding may happen due to the termination of a relationship because of sustained non-performance. Regardless of the reason, offboarding should still be conducted swiftly and thoroughly at the conclusion of the relationship.
Just like onboarding, there are a series of steps that should be followed to ensure the offboarding process is completed thoroughly. The first step should be to review termination clauses in the contract with the vendor being offboarded. Consider any clauses that will survive beyond the termination of the contract that need to be adhered to and how they will be managed.
Once that is done, attention can be turned to more practical aspects of the onboarding process. These include the termination of any access rights the vendor may have (both physical and virtual), the cleansing of sensitive data on both the organization’s and the vendor’s side, updating of financial records and promotional materials, organizing the return of goods/inventory the vendor may still have, and the completion of any services still outstanding.
In many cases, offboarding may require a coordinated approach across multiple teams. At a minimum, a checklist approach can ensure each item has been addressed, while automation tools can be used to improve the assignment of owners and tracking of completion.
An Essential Part Of A Modern Business Practice
Successful businesses work with a wide range of vendors and partners on a daily basis. However, as time goes by, relationships can change, which is why a robust and effective VRM process is fast becoming an essential part of modern business practice.
While the idea of VRM can be daunting, the use of a tried and tested template like the one laid out in this article, combined with process automation where possible, can quickly turn it into a stress-free process that keeps businesses protected for many years to come.
Written by Craig Adams
Craig Adams has been with Protecht since 2020 as the Managing Director for EMEA to support the development of the company in this region. Craig has over 15 years of leadership experience working with a number of SaaS vendors helping them scale and grow their EMEA business.
Craig previously worked for a top 50 SaaS vendor. Prior to that role, he ran his own sales & marketing consultancy firm providing interim leadership services for North American SaaS vendors to incubate & scale their EMEA operations.
Craig has worked in the software industry for companies such as Diligent, HP, and TITUS.