Colleges and universities are experiencing a perfect storm of financial issues: less student revenue due to the pandemic, fewer donations due to the economy, funding cuts from state and federal sources, and the lingering threat of inflation and recession. As a result, higher ed administrators are facing unprecedented budget shortfalls and operational challenges. To stay afloat, higher ed institutions are increasingly outsourcing operational functions.
In February 2021, the Department of Labor published a report on the impact of the COVID-19 pandemic on higher education. The report concluded that colleges and universities had cut more than 650,000 jobs since February 2020, 13 percent of the total higher ed workforce. As of September 2022, many of those jobs have not returned.
Because of staff reductions, many institutions must manage more third-party vendors with fewer resources. Additionally, many departments still work from home which adds to the challenges. Institutions may have trouble keeping up with the changes if they do not have a third-party risk management program.
What Is Third-Party Vendor Risk Management?
All companies providing products or services to your institution expose the institution to risk. So, effective third-party vendor risk management, or third-party risk management (TPRM), is a necessary practice to protect your institution and its stakeholders. Third-party risk management is the practice of identifying, assessing, and managing the risks associated with outsourcing products and services to third-party vendors.
Suppose your institution has contract management and procurement software, and the IT department manages computer-based vendor vetting and risk assessments. Isn't that enough? It depends on how the systems and departments are involved in the selection and management of vendors. In many institutions, departmental silos prevent information and work products from being shared, leaving critical gaps and weaknesses in the TPRM process. Without comprehensive and effective TPRM, your institution is at risk for cybersecurity issues and events, high costs or lost revenue, compliance violations, and direct impacts to your institution’s name and brand.
Getting Started With Third-Party Vendor Risk Management
Establishing standardized institution-wide policies and processes is critical to creating a TPRM program. Roles and responsibilities for managing the third-party risk management lifecycle must be clearly defined and assigned. This way, all departments are aware of the process and can work together, reducing duplication of effort and breaking down data silos.
Once policies, roles and responsibilities are established, standardized processes must be created to address vendor onboarding, ongoing monitoring and offboarding. Fortunately, institutions who follow the vendor risk management lifecycle have an excellent blueprint for managing vendor risk throughout the duration of the vendor relationship.
What Is the Third-Party Risk Management Lifecycle
The third-party risk management lifecycle is essentially the roadmap for managing vendor risk throughout the life of the contract. Divided into three stages, Onboarding, Ongoing, and Offboarding, each stage involves specific vendor risk identification, assessment, and management activities.
Seven core activities must be performed across the three stages, including:
The Benefits of Third-Party Vendor Risk Management
Institutions that implement and adhere to comprehensive third-party risk management processes and procedures not only protect the institution, but realize other benefits as well.
Let's explore seven key benefits of third-party vendor risk management:
- Identification of Vendor Risk
TPRM will help you identify and assess the risks inherent in the product or service and the vendor relationship. Inherent risk refers to the risks naturally associated with products or services. These risks are measured before any mitigating controls are considered. Common inherent risks include:
- Strategic risks which arise when vendors make business decisions that don't align with the institution's strategic goals.
- Reputational risks which occur when vendors provide poor service or their actions are inconsistent with the institution's values and standards.
- Cyber risks which arise due to insufficient or missing data security practices that can result in data breaches and other information security vulnerabilities. Cyber risk is also closely tied with operational risk, especially with the dependence on technology.
- Compliance risk which is present when the vendor lacks compliance knowledge or doesn’t have adequate control systems in place.
- Operational risks which have two types: internal and external. Internal operational risk refers to the vendor's ineffective processes, people, controls, and systems. The external operational risk comes from outside events like epidemics, natural disasters, severe weather, or cyberattacks.
Once you have identified the types and amounts of inherent risk present, you can assign a risk rating or level to the engagement. These ratings are typically on a scale of low, moderate, or high risk. Rating the vendors in this way will help you know where to focus your risk management efforts and provide a comprehensive picture of the real risk in your institution's vendor portfolio.
- Process Improvements for Vendor Acquisition
TPRM supports your institution's processes and criteria for issuing Requests for Information (RFIs) and Requests for Proposals (RFPs). By producing a vendor risk matrix, your organization can select new vendors based on a more comprehensive set of criteria. While it's impossible to eliminate all vendor risks, your institution will be better positioned to define its risk tolerance once the risks are identified and understood. This information can also enhance the institution's strategic goals, compliance education and controls, operational capacity, business policies, pricing, service, and quality requirements.
- Better Contract Management
Your institution can use TPRM to aid in the development of contract standards and to define all non-negotiable terms protecting the institution. These terms may include required compliance controls, vendor performance management, mandatory audits and assessments, business continuity, and termination conditions.
- Increased Purchasing Power
Standard policies and systems will enable the institution to consolidate purchasing through the evaluation and management of vendors. For example, you may discover that different departments within the same institution have multiple contracts with a single vendor, often at different prices and terms. Consolidating purchases with a reduced vendor base can help you lower your prices. As opposed to outsourcing with multiple vendors, you will award a higher volume of business to a select few suppliers with acceptable risk levels and a reputation for providing excellent service.
- Improved quality
Contracts that include quality and performance standards and require mandatory audits incent the vendor to meet the terms of the agreement. Contracts designed to manage risk leave no questions regarding the required product or service quality.
- Better Vendor Relationships
Building healthy vendor relationships begins with setting expectations at the beginning of every relationship, and holding the vendor accountable through risk and performance management will help incentivize the vendors to meet performance standards.
- Transparency and Audit Readiness
Transparency in outsourcing can be improved by using TPRM principles to standardize policies, procedures, RFPs, and contracts. If all vendor documents, including contracts, are collected and stored in one TPRM system, duplicate billing, outdated contracts, missed contract renewal dates, and other vendor-related issues can be reduced or eliminated. A single document repository system facilitates easier document collection and record retrieval for audits or examinations.
Third-party vendor risk management is essential for protecting institutions and their stakeholders from unnecessary risk. And while there are real implications and benefits from managing vendor risk, it also supports institutional strategy, ensures contractual compliance, and improves transparency and collaboration, enabling institutions to make better long-term decisions. For institutions without formal third-party vendor risk management rules or processes, there is no better time to develop a robust third-party vendor risk management program.