Most of us have them – little bad habits here and there that we’ve become accustomed to and have integrated into our routine. When it comes to vendor risk management, a bad habit isn’t something to take lightly. It can be a costly mistake.
Be preemptive and address any “Don’ts” of vendor risk management that you’re doing and replace them with the recommended “Dos”.
Here are five common scenarios:
DO: Understand that even though your organization outsourced to a third party for insight and assistance you still can’t outsource the responsibility. You should continue to follow up on the progress and be aware of what is going on.
DON’T: Our organization has outsourced an activity, so we don’t have to worry about it now. It’s no longer our responsibility.
2. Ongoing Monitoring
DO: Remember, due diligence during the vendor selection phase is just one critical phase of the vendor lifecycle. You should also perform extensive due diligence on the vendor as part of your annual or “as needed” ongoing monitoring. Continued oversight and mitigating new risk are a regulatory requirement.
DON’T: We performed sufficient due diligence during the vendor vetting phase and have determined the vendor to be satisfactory. Now that we’ve signed the contract, we’re good to go and can sit back and relax.
3. Board Updates
DO: Always, always, always keep the board informed, especially keep them in the know about any concerns that are discovered regarding a high risk or critical vendor.
DON’T: Our board received an update at our quarterly meeting a month and a half ago, so I don’t need to update them about our critical vendor’s weak financials that I just discovered.
4. Requesting Documents
DO: Get creative. If you’re not having any luck requesting the document by email or phone, then consider an on-site visit. Also, be sure to document every single attempt to reach out. Your examiners and board will want to see the efforts.
DON’T: I can’t get in contact with the vendor to obtain the SOC report. Oh well, I’ve tried.
5. First Line of Defense Communication
DO: Consider what the first line has to say. They are the eyes and ears daily. They can give you some of the best insight regarding the vendor’s responsiveness, performance and product/service quality.
DON’T: The first line communicates with the vendor, but management should be the only ones to determine if the organization considers the vendor relationship to be a good fit or not.
As you can imagine, with many daily discussions with industry clients, I could list dozens of bad habit scenarios that I’ve seen. Revisiting your processes is a good way to validate that they are falling under the dos of vendor risk management instead of the don’ts. By breaking a bad habit as quickly as possible, you’re setting your organization up for vendor risk management success.
Don't continue to believe these 14 common myths for third party risk. Download the infographic now.