(270) 506-5140 CONTACT US
Login
Due Diligence

Vendor Document Management Disasters and How to Handle Them

Aug 28, 2019 by Gordon Rudd, CISSP

I’ve been to a rather significant number of conferences over the course of my career. I’ve found that each session will usually give you at least one pearl of wisdom. However, the gold nuggets we seek are in the interpersonal interactions found during lunch breaks and in the cantina at happy hour.

Earlier this year, I found myself seated at a lunch roundtable with ten risk management professionals.  Someone told a story about a contract auto-renewing for two years that cost his organization several hundred thousand dollars. Then the one-ups-man-ship kicked in, and around the table everyone relayed their story of contract auto-renewal woe.

Later that day, I brought the subject up in the cantina and virtually every one of the 20 or so conference attendees in my little corner of the room told some shocking stories of losses due to missing auto-renewal dates. The first person to offer a story was a woman who had used a $3 million contract auto-renewal to drive home the need for a document management system. I stopped tracking the total losses in hard dollars for the story tellers after thirty minutes and well over $20 million in total losses. Who knew? The number one document management disaster around the world is the missed auto-renewal deadline!  We have all missed a contract renewal date at some point in our careers. So, why don’t we see this coming? Who’s responsible for these failures?

Well, vendor management can help with this! Organizations all go through the same maturation process for vendor management which kind of mirrors the five stages of grief. You know, something like this:

  1. First, denial that there’s any possibility of something as simple and easy as vendor management costing us any hard dollars.
  2. Next, anger as the CEO is furious over the fact that the lack of  vendor management cost  us a boatload of hard dollars.
  3. Third, bargaining with the vendor to try and get out of the contract renewal…it does work about 2% of the time.
  4. Fourth, depression since you must now update your resume.
  5. And finally, acceptance that the lack of an organized methodology for vendor management just cost someone a promotion and your company a boatload of dollars.

You must be a highly organized individual to keep all the plates spinning when it comes to vendor management. Unfortunately, the cheap-o reap-o methodology of using spreadsheets and a shared drive for files just doesn’t cut it.

 Let’s look at some more examples.

Vendor Document Management Disaster Examples from the Front Lines of Defense

Vendor Rom-Com – Missed Auto-Renewal Notice Periods

A vendor in the financial services space likes to have three-year agreements. They have an unusually long notice period - 180 days - supposedly due to the complexity of making a change in the platform. If you ignore or miss this auto-renewal notice period, your firm may have a new three-year agreement with a vendor they want to replace. This will be a mid-six figure mistake. A very costly mistake if you were planning to exit the relationship. You’ll be stuck in the contract even though your business unit may have just signed an agreement with the replacement platform. Ouch!

Business Unit Bungle – Placing All Responsibility on the First Line

Leaving contracts with the lines of business never works out well either. Eventually, someone retires, seeks a new position or is asked to seek excellence elsewhere. When that happens, tribal knowledge is lost. You see where this is going, right? No due diligence. Assuming all things are equal, and they never are, it’s easy in this scenario to go over a year without reviewing or receiving updated documents and this can be detrimental to your organization. You’re setting yourself up for risky situations when you’re not frequently evaluating critical vendors.

Multiple Product Parade – Only Performing Due Diligence at the Vendor Level

If you have multiple products with one vendor but don’t identify that and only collect documents for one product, you’re going to miss pertinent information. What if the vendor uses multiple data centers and the documents that you’re collecting are for a data center that doesn’t service the product suite your organization has? Who’s responsible for that one? You should receive different documents for the different products and services. Otherwise, it will do more than just look bad when your auditors/examiners come calling. You may walk into a data breach.

Shared File Nightmares – Lack of a Centralized Repository

If you don’t have a centralized location for your documents, you can do a lot of hunting for documentation. While this is a concern for examiners, it can result in a nightmare that would rock even Elm Street. You’ve taken the time to get all of the contracts loaded onto a shared file system and have spent months organizing and sorting. Everything looks great. Then someone asks you for documentation. Luckily, you know the exact location but when you navigate your way to the folder where the document should be…it’s empty. Who moved the contract? File systems will fail you at some point. Hoping everyone plays nicely in the file structure isn’t a plan.

No Time for Failure – Poor Time Management Causes a Ripple Effect

If you have poor time management it can lead to all the above. Missed contract dates, forgetting your ongoing monitoring, document deletion and so many, many more horror stories. The bottom line is simple. You don’t have the time and energy to do even an alright job of vendor management without an appropriate platform. Time will cause a vendor management failure faster than your ice cream cone is going to melt on the fourth of July. The failure is inevitable. The scope of the loss, well that is to be determined.

6 Ways to Handle or Prevent Vendor Document Management Disasters

Now that we’ve covered plenty of stories and examples of document management disasters, let’s cover how to handle them when they happen.

  1. Get an appropriate vendor management platform.
  2. Make friends with your business continuity team.
  3. It may seem obvious but stay organized!
  4. Use your vendor management platform for tracking due diligence and contract expiration dates.
  5. Have one central repository for all documents; even the due diligence. Hey, even throw the operating manual into the document repository as well. At least you’ll be able to find it when it’s needed. Remember, personnel will change over time.
  6. Ensure you’re requesting and performing due diligence on every product/service you use – not just the vendor!

Those of us who have worked in vendor management for any significant amount of time have all been there, done that and now own the t-shirt with the “I Missed the Auto-Renewal Notice” logo. It’s never fun. We all start out thinking all we need is a spreadsheet and then as we move through the five stages, we learn a hard truth. You must have a platform or you’re going to cost your organization hard dollars at some point. So, eventually, we all went out and purchased a vendor management platform.

I’m offering you knowledge…knowledge that was won in the crucible of battling against the odds and eventually staring potential failure in the eye and searching for the contact information of that saleswoman who called last week...

Stop the madness! Fix and prevent document disasters now. You won’t regret it.

Collect vendor due diligence documents more efficiently with these 10 steps. Download the infographic. 

10-tips-to-collecting-vendor-due-diligence-documents

Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP
Subscribe--Bg.jpg

Subscribe to the Venminder Blog