3 Stages of the Vendor Risk Lifecycle

Onboarding Vendors

Planning for the vendor relationship is an essential first step that includes determining if the product or service is in-scope for your program. First, you must decide that the product and service are in your program's scope and determine who will be responsible for the relationship. You must determine whether or not that relationship will be critical to your operations and identify the risks associated with the product or service provided. Inherent risk and criticality are essential factors to understand.

Here's a brief definition of each term:

• Criticality - This refers to whether a vendor is essential to your business operation. A critical vendor will significantly impact your organization or customers if its products or services fail to meet your expectations. On the other hand, a non-critical vendor could fail to deliver its products or services without significant impact on your organization or customers.
• Inherent risk - This exists naturally, as part of the vendor's product or service, without considering precautions or controls. Inherent risk is typically measured on a scale of low, moderate and high.

Due diligence is another essential step in vendor onboarding. It enables your organization to confirm that the vendor is a legitimate business in good standing and has the necessary controls. The process involves gathering and validating information about the vendor and then having a subject matter expert review the information and provide a qualified opinion regarding the sufficiency of the vendor's controls. When due diligence is complete, you can calculate the level of residual risk (or the level of risk after applying controls.) Ultimately, it's up to your organization to decide whether the residual risk is acceptable and whether it's worth moving forward.

For each potential vendor, you'll want to perform a thorough vetting process which includes the following steps:

• Review the vendor's financial history through audited financial statements or other financial records
• Check for consumer complaints or any other issues that may expose you to reputational risk
• Run an OFAC check to confirm the vendor isn't on any sanctions list

Contracting is the last component of the onboarding stage. It includes planning, drafting, negotiating, approving/executing and managing the legal document between the vendor and your organization. Your contract should identify service level agreements (SLAs) and document any essential controls. Keep in mind that the contract isn't restricted to the onboarding stage of the lifecycle. It plays a significant role throughout the entire lifecycle, including contract renewals and termination.

Ongoing Monitoring of Vendors

Vendor risk and performance can change throughout the relationship, so it's essential to maintain a practice of ongoing monitoring and risk assessment. Ongoing monitoring includes periodic re-assessments, ongoing monitoring of risk and performance and contract renewals. Periodic due diligence is an important activity in this stage. It should occur at least annually for any critical vendor or those with elevated risk.

These practices will help establish a healthy routine of ongoing monitoring and review:

• Establish a monitoring and review schedule based on the inherent risk rating
• Conduct an annual risk re-assessment to identify new or emerging risks or confirm that nothing has changed. (Do this at least annually for critical or high-risk vendors.)
• Create a process to track SLAs
• Report vendor risk to senior management and the board regularly
• Stay on top of important dates, including notice periods for contract renewals and expirations

Offboarding Vendors

The final stage in the vendor risk lifecycle is offboarding or terminating the contract. Sometimes you’ll need to offboard the vendor proactively, simply because the contract has expired, and you no longer have a need for their products or services. Other times, vendor offboarding is reactive, occurring because of performance issues or unmet SLAs. Whatever the reason, you’ll want to make sure that you have a documented termination process to help the process unfold smoothly.

Here are the specific activities involved in this stage:

• Termination –This is the official notification to the vendor that the contract won't be renewed. Although you might notify the vendor of their termination well before the contract expiration, the vendor engagement won't officially be terminated until the contractual date.
• Exit plan execution –The exit plan should include the details reflecting your exit strategy (replacing the vendor or bringing the activity in-house). If possible, the plan should be tested to ensure it's viable. The exit plan should also detail both parties' specific roles, responsibilities and tasks to safely and soundly exit the relationship. Examples include returning or destroying sensitive data and removing vendor access to data, networks, systems applications and physical facilities.
• TPRM closure –After completing the exit plan, there may be a few final steps, such as paying any final invoices, updating vendor status in all systems and archiving relevant vendor material.