Many of us understand the difficulty of forming good habits, like healthy eating or exercise, when they’re not a part of our regular routine. Similarly, bad habits like procrastination or irregular sleep patterns are difficult to break. When it comes to vendor risk management, it’s equally important to establish good habits, while also removing any bad habits that can lead to costly mistakes.
It's a good idea to be proactive and address any “don’ts” of vendor risk management that you may be doing and replace them with the recommended “dos”.
Here are five common areas to review:
DO understand that even though your organization can outsource a product or service to a third party, you can’t outsource the risk. You should continue to monitor the outsourced activity and be aware of what’s going on.
DON’T forget about the activity’s risk because it’s outsourced. Remember that the risk is still your responsibility!
2. Ongoing Monitoring
DO remember that due diligence during vendor vetting is just one critical stage of the vendor lifecycle. You should also perform extensive due diligence on the vendor as part of your annual or “as needed” ongoing monitoring. Continued oversight and mitigating new risk are a regulatory requirement.
DON’T treat the due diligence process as a one-and-done activity that can be set aside after the contract is signed. Doing so will prevent you from identifying and addressing any emerging risks.
3. Board Updates
DO keep the board regularly informed and updated, especially about any concerns that are discovered regarding a high risk or critical vendor.
DON’T wait to update the board about any new findings with your critical vendors. Just because the board received an update at a recent quarterly meeting doesn’t mean you should wait until the next meeting to inform them of any new discoveries.
4. Requesting Documents
DO get creative if you’re not having any luck requesting the document by email or phone. Consider an on-site visit and be sure to document every single attempt you’ve made. Your examiners and board will want to see these efforts.
DON’T give up when you can’t obtain the required documents. It may take some effort, but it’s a necessary step within the due diligence process.
5. Vendor Owners of First Line of Communication
DO consider what the vendor owner has to say. They are the eyes and ears of your vendors daily. They can give you some of the best insight regarding the vendor’s responsiveness, performance and product/service quality.
DON’T give management sole authority to determine if the vendor relationship is a good fit or not. It’s best to collaborate with the individuals who will be in direct communication with the vendor.
As you can imagine, with many daily discussions with industry clients, there are many other bad habit scenarios. Revisiting your processes is a good way to validate that they are falling under the “dos” of vendor risk management instead of the “don’ts.” By breaking a bad habit as quickly as possible, you’re setting your organization up for vendor risk management success.