After publication, Venminder created and released a new, simplified third-party risk management lifecycle that is more user-friendly. Learn why we made this big change here. And, learn the stages of the new risk lifecycle here.
A strong vendor management program is a sound business practice and can be critical to your organization’s success, but it’s also a lot of work. If you’ve ever caught yourself wondering how to liberate your organization’s vendor management program from the overwhelm, here are a few ways that can help create an independently functioning, successful vendor risk management program.
Follow the Vendor Management Lifecycle
Vendor management is not only a best practice, but in many industries it’s a regulatory requirement, too. Every vendor relationship operates as a cycle, marked by specific stages.
The 7 vendor management lifecycle stages are:
- Scoping. Have a clearly defined scope of who does and does not need to go through the lifecycle process. To do this, define what a vendor is.
- Inherent Risk and Criticality Assessment. Perform a risk assessment to review the vendor’s inherent risk and determine how critical they are to your organization.
- Due Diligence and Residual Risk Determination. Conduct initial due diligence to analyze and verify that your prospective vendor meets your needs, comes with a risk level you’re comfortable with and is in regulatory compliance. Mitigating risk gets you to the residual risk.
- Vendor Selection and Contract Management. Now that a vendor has been selected, it’s time to begin the contract process. Vendor contract management includes negotiating the terms of contracts and ensuring compliance, change management and ongoing maintenance of the relationship.
- Ongoing Monitoring. Ongoing monitoring is critical to the success of a vendor risk management program. Risk fluctuates. A vendor’s performance can change at any moment, so it’s important to periodically request, collect and reassess vendor due diligence.
- Termination. If you decide the vendor no longer meets your needs, then you may have to terminate a vendor. This may also involve facilitating a proper exit strategy and notifying the vendor of contract non-renewal.
Do Your Vendor Due Diligence…Then Do It Again!
We can’t stress enough how important due diligence is. And truly, if you can get a good due diligence practice in place, you can tackle a good portion of your vendor management overwhelm. Throughout the entire lifecycle, risk assessments and due diligence are ongoing. So, make sure to establish a list of due diligence requirements and reference it when initiating contact with potential vendors or when reviewing an existing vendor. A vendor due diligence checklist helps ensure all your bases are covered and your process is consistent and repeatable.
Here’s a sample of a good start:
- Confidentiality Agreement, Mutual Non-Disclosure Agreement (MNDA) or Privacy Statement
- Secretary of State Check
- Articles of Incorporation or Business License
- State of Incorporation
- Credit Report
- Financial Statement
- Certificate of Good Standing
- Tax ID #
- Significant Vendor Complaints or Litigation
- Liability Insurance Coverage, Statement of Insurance, worker’s Compensation Insurance, etc.
- List of anyone who has access to your organization's data or information
- Copies of Subcontractor Contracts/Non-Disclosure Agreements
- OFAC Check
- Negative News Search
- Dunn & Bradstreet or Standard & Poor's report
- SSAE 18, SOC 1, SOC 2 and SOC 3 audits or any other information technology related audit (if required)
- Business Resumption and Contingency Plans (if required)
Pro tip: Due diligence is not one-size-fits-all by any means! Define specific processes based on vendor type, such as processing services, technology, marketing, etc., and then perform due diligence and answer the questionnaires that are tailored to the vendor's type.
Lean on Third-Party Risk Management Technology
If you’re not already using vendor management software for your vendor risk program, you’re missing out on efficiency and high-quality results to show off to your team and examiners.
Software can help manage:
- Effective date of the contract
- Termination date of the contract
- Renewal date of the contract
- A set renewal notice timeframe
- Non-disclosure agreement date
- Dates of documents that are incorporated into the contract by reference or that are signed after the agreement (e.g. exhibits, statements of work, work orders, purchase agreements, amendments, etc.)
- Timeframes associated with non-renewal, breach or remedies and notification periods that are established
Less missed deadlines mean more money in your pocket! The use of software can greatly level up your organization’s third-party risk maturity. Add a good software to your arsenal and you can effectively mark one more thing (or twenty) off your to-do list.
Hopefully, with these best practices in mind, you’ll be well on your way to freeing up some brain space and getting your vendor management program back on track.