A strong vendor management program is a sound business practice and can be critical to your organization’s success, but it’s also a lot of work. If you’ve ever caught yourself wondering how to liberate your organization’s vendor management program from the overwhelm, here are a few ways that can help create an independently functioning, successful vendor risk management program.
Follow the Vendor Management Lifecycle
Vendor management is not only a best practice, but in many industries it’s a regulatory requirement, too. Every vendor relationship operates as a cycle, marked by specific stages. Lifecycles are normally depicted as wheels. The implication is that there’s no real beginning and no true end, just cycles to process your way through and then repeat.
The 7 vendor management lifecycle stages are:
- Planning. Have sufficient plans in place. These governance documents are the foundation of a strong program. Detail how you'll provide oversight to your vendors, with emphasis on critical vendors, and how they may impact your day-to-day operations and ongoing monitoring.
- Risk Assessment. A risk assessment should be completed on every vendor and isn’t a one-and-done exercise. Risk assessments come into play during due diligence & third-party selection and the ongoing monitoring stages of the vendor lifecycle, too.
- Due Diligence & Third-Party Selection. Due diligence happens upfront and as part of your ongoing monitoring efforts. In due diligence & third-party selection, you’re vetting the vendor to ensure they’re well within the parameters your organization establishes for vendor risk management in both policy and procedures and they don’t pose a level of risk that your organization is unwilling to take on.
- Contract Management. Vendor contract management includes negotiating the terms of contracts and ensuring compliance, change management and ongoing maintenance of the relationship.
- Ongoing Monitoring. Ongoing monitoring is critical to the success of a vendor risk management program. Risk fluctuates. A vendor’s performance can change at any moment, so it’s important to periodically request, collect and reassess vendor due diligence.
- Exit Strategy. You can’t simply terminate a vendor relationship and be finished. Often, you don’t fully know where your data is being stored or who’s working on it – whether it's just with your third party, a fourth party or beyond. You need to consider who has the rights to market your customers post termination, too.
- Termination. Have you completed all of these lifecycle stages, including the exit strategy? The vendor is now ready to be moved out of the continuous lifecycle.
Do Your Vendor Due Diligence…Then Do It Again!
We can’t stress enough how important due diligence is. And truly, if you can get a good due diligence practice in place, you can tackle a good portion of your vendor management overwhelm. Throughout the entire lifecycle, risk assessments and due diligence are ongoing. So, make sure to establish a list of due diligence requirements and reference it when initiating contact with potential vendors or when reviewing an existing vendor. A vendor due diligence checklist helps ensure all your bases are covered and your process is consistent and repeatable.
Here’s a sample of a good start:
- Confidentiality Agreement, Mutual Non-Disclosure Agreement (MNDA) or Privacy Statement
- Secretary of State Check
- Articles of Incorporation or Business License
- State of Incorporation
- Credit Report
- Financial Statement
- Certificate of Good Standing
- Tax ID #
- Significant Vendor Complaints or Litigation
- Liability Insurance Coverage, Statement of Insurance, worker’s Compensation Insurance, etc.
- List of anyone who has access to your organization's data or information
- Copies of Subcontractor Contracts/Non-Disclosure Agreements
- OFAC Check
- Negative News Search
- Dunn & Bradstreet or Standard & Poor's report
- SSAE 18, SOC 1, SOC 2 and SOC 3 audits or any other information technology related audit (if required)
- Business Resumption and Contingency Plans (if required)
Pro tip: Due diligence is not one-size-fits-all by any means! Define specific processes based on vendor type, such as processing services, technology, marketing, etc., and then perform due diligence and answer the questionnaires that are tailored to the vendor's type.
Lean on Third-Party Risk Management Technology
If you’re not already using vendor management software for your vendor risk program, you’re missing out on efficiency and high-quality results to show off to your team and examiners.
Software can help manage:
- Effective date of the contract
- Termination date of the contract
- Renewal date of the contract
- A set renewal notice timeframe
- Non-disclosure agreement date
- Dates of documents that are incorporated into the contract by reference or that are signed after the agreement (e.g. exhibits, statements of work, work orders, purchase agreements, amendments, etc.)
- Timeframes associated with non-renewal, breach or remedies and notification periods that are established
Less missed deadlines mean more money in your pocket! The use of software can greatly level up your organization’s third-party risk maturity. Add a good software to your arsenal and you can effectively mark one more thing (or twenty) off your to-do list.
Hopefully, with these best practices in mind, you’ll be well on your way to freeing up some brain space and getting your vendor management program back on track.
Use this handy checklist to make sure you're on top of third-party risk management. Download the checklist.