3 Tips for People Who’ve Fallen into Vendor Risk Management

Unlike others that have come before it, this fall season brings unprecedented circumstances and new expectations. Many of us are wearing more hats than usual, and some that aren’t quite our style. But, that’s just the way it is sometimes, right? We set out with all our well-thought plans, and then life happens. But even in not-so-pandemic times, learning to ride the tides of change is key for living a happy and successful life.  

Whether you find yourself a newly appointed homeschool teacher or your organization has entrusted you with roles far outside of your job title, and maybe perhaps both, we can choose to let the waves hit us, or grab a surf board.  

Now that we’ve got the timely, inspirational idioms out of the way, let’s get specific.  

Third-party risk management is not a career field people generally pick out of college. The concept of managing contracts has been around for a long time, but it was one of those no-brainer administrative tasks like putting files in a filing cabinet. As the corporate world has changed from filing cabinets, to shared files, to Dropbox and databases, so have the tasks around managing business relationships.  

My point is, what used to be a simple task is now a much larger undertaking… and it often has a way of being handed off to various people throughout an organization without also providing the appropriate training and resources. You’ve probably experienced this, or are experiencing it now, and are familiar with the feeling of being up “the creek” without a paddle.  

What to Do When You Fall into Vendor Management

Step 1: Learn About Third-Party Risk Management

First things first: Learn everything you can. Third-party risk management is a task-heavy process with a lot of metrics, touchpoints and stakeholders. If you start chipping away at tasks and issues as they arise, you’re well on your way to a never-ending cycle of putting out fires. Try to get the big picture. When in doubt, start with the third-party risk management lifecycle to get you started. It’s really important to adhere to each phase of the lifecycle and figure out what your industry’s requirements and best practices are. 

Here are some important questions you’ll want to get answers around:   

• Who (internally and externally) will you need to tie into your process?  
• What metrics are you responsible for tracking and reporting on?  
• What does your board or C-suite prioritize?  
• How are risk assessments conducted?  

Then, using this information, plan how to best leverage the resources you have and create a good case for why you may need more.  

Step 2: Equip Yourself with the Right Tools

When the wave hits, you’ll want a surfboard or a boat. If you’re headed down the wrong creek, you’re going to need a paddle. And, if you’ve fallen into vendor risk management, you’re going to want the right tools.  

Start by asking yourself these questions:  

• Who will be managing and maintaining the contracts themselves? Where will they be stored?  
• How will we maintain vendor risk information? Where will that be stored? What metrics do we need to maintain?  
• How will we communicate with and/or assign tasks to vendors and/or stakeholders?  
• Who will reach out to vendors for due diligence documents? Where will these documents be maintained?  

Vendor risk management has evolved well past the capabilities of filing cabinets, Excel and SharePoint. There are many moving parts; internal and external taskings; a slew of data elements to be collected, maintained and reported on; documents that need to be tracked, maintained, organized (to say the least), and many more functions that require extensive administrative support.  

Allow me to repeat myself: A good third-party risk program will inevitably require extensive administrative support. Having the right tools and/or platforms to automate vendor management tasks as well as maintain various data elements can make a world of difference. It will also free up time and resources needed to truly mitigate risk. 

Step 3: Adapt and Adjust Your Plan if Needed

Once you have the ball rolling and you’ve executed the best plan possible, make sure you’re willing to make updates if you notice something isn’t working. Third-party risk management can be adequately executed in various ways, and the best way to do so can be as different as the people on the job. So, if something isn’t working, get your best minds together and try to make informed changes.  

Chances are, you didn’t choose third-party risk management, but any opportunist will quickly learn that this field of work is as challenging as it is rewarding. If you’ve “fallen” into third-party risk management, take advantage of the education materials, tools and resources out there that can help you ride the tides with great success.  

Welcome to third-party risk management… and remember, we’re here to help.  

Once you've gotten started in vendor management, you need to create your documentation. Use this eBook to help.