Venminder Blog

The Value of Outsourcing Vendor Assessments

Written by Hilary Jewhurst | Oct 19, 2021 5:00:00 AM

Assessing vendors, or due diligence, is one of the more complex third-party risk management (TPRM) activities. From sending out vendor questionnaires, gathering documents and having suitable risk experts to evaluate the vendor's control environment, the process can be long and time consuming, especially if you manage multiple vendors at once. The good news is that you no longer need to cope with all that work internally.

Over the past few years, many companies specializing in TPRM have expanded their offerings beyond software. As a result, organizations can now increase their capacity, shorten cycle times and improve their due diligence and assessment process through subcontracting. From sending out and collecting vendor questionnaires and documenting requests to risk expert reviews, outsourcing vendor risk assessments is a growing trend and one that makes sense for many organizations.

Three Reasons Why Organizations Are Choosing to Outsource Assessments

Let's examine some of the compelling reasons that organizations should consider this strategy:

Maximizing Resources

If your TPRM program is understaffed, you’re not alone. Even though this is a common situation, it’s less than an optimal one to be in.

To understand why, consider the following:

  • How many new vendors will you have? It can be challenging to predict how many new vendors might enter the onboarding process at any given time. Add that new vendor’s due diligence to your existing annual risk reviews, and it can become overwhelming, stressing your internal resources. When most TPRM programs are seriously understaffed, it only takes one problem vendor or a couple of delayed annual assessments to create a backlog of work that can take months to clear up.
  • Are the administrative tasks cost efficient? Sending and tracking vendor due diligence questionnaires and document requests are administrative tasks but must be done. With so many TPRM teams being understaffed, it makes sense to consider outsourcing those tasks that take more time but require less skill. Your limited TPRM staff only have so many hours in a day to get it all done. Does your organization want to use the same salary hours and human expertise for emailing vendors or addressing more complex or higher-risk issues?
  • What’s the current workload of your internal experts? Internal risk experts responsible for evaluating the vendor control environment are rarely dedicated solely to the vendor risk review process. More often than not, they have other primary duties. Heavy workloads and competing priorities are often the reason for delayed vendor risk assessments, pushing them further down the to-do list.

How outsourcing helps: There are many compelling reasons why TPRM programs need to increase capacity, but adding additional full-time employees (FTEs) isn't always an option. Considering the fluctuating workload and the issues that need attention on any given day, it’s usually difficult to predict how many FTEs are necessary to stabilize the workload. With so much variation in workload, adding FTEs is not always the best option. When an organization outsources vendor risk assessments, there are many benefits, including increasing capacity as needed, or paying on a per basis cost. 

Ensuring Expertise and Accountability

Not all organizations are created equally, and TPRM programs span a broad spectrum of maturity. Unfortunately, it may take a vendor breach, audit finding or regulatory action for some organizations to reexamine the resources and expertise they really need for supporting the TPRM functions.

Here are two issues that can arise with an understaffed TPRM program:

  • Inexperience: Occasionally, through no fault of their own, employees are tasked with filling a risk expert or subject matter expert role when they don't have the depth of expertise necessary to effectively review a vendor's control environment. Sometimes, it's because they’re a backup to a risk expert on vacation. These folks do the best they can, but the risk of errors or oversights is high without that subject matter expertise. Or, in another example, the person responsible for managing facilities is suddenly designated the business continuity expert. While they own the organization's plans for evacuating the office in the event of a fire or other life-threatening scenario, they may not have the expertise to assess a vendor's disaster recovery plan, involving multiple backup data sites, or information security considerations for employees working at home during a pandemic.
  • Inconsistency: Business vendor owners aren't always consistent when requesting of keeping track of vendor due diligence deliverables, resulting in an 11th-hour push to complete due diligence in time to onboard the vendor according to their original schedule, even though the vendor has yet to return the questionnaire or documentation.

How outsourcing helps: When outsourcing the assessment process, many organizations have a higher level of control over the end product than when it is handled internally. Placing your vendor risk assessments with experienced and dedicated resources can result in more efficient and effective outcomes. Contracting these services to qualified companies transfers the educational, administrative and resource allocation responsibilities to the vendor risk management services provider. All of which can be reinforced through service level agreements in the contract.

Many outsourced TPRM servicers ensure quality by hiring only professionally credentialed experts who specialize in a specific risk domain such as information security, finance or business continuity. This means your organization can be confident that the due diligence processes and evaluations of your vendor's control environment will be completed to meet the recognized requirements on time and with the expertise necessary to identify, analyze and manage risk effectively.

Meeting Regulatory Expectations

For many regulated industries, the requirement that vendor due diligence is commensurate with the risk of the product or service is a clearly stated expectation. And, while many organizations might lack the right expertise or resources to accomplish that directive, that excuse will not sit well with regulatory examiners. In fact, outsourcing to TPRM service companies is a practice that even financial regulators support (as mentioned in the proposed interagency guidance) so long as the organization understands that they own the risk and are accountable for the actions of their vendors.

How outsourcing helps: Specific expertise is often needed to review many complex areas such as financial reports, SOC reports and regulatory compliance that varies by industry and location. Failure to meet regulatory expectations around these assessments can often lead to hefty fines or other business restrictions. Outsourcing these assessments to qualified experts will ensure that your TPRM program remains in compliance with examiners so you can avoid regulatory actions.

7 Outsourcing Best Practices

If your organization is considering outsourcing vendor risk assessments, here are a few best practices to keep in mind:

  1. Confirm that the company will provide you services even if you’re not using their software.
  2. Verify the company has certified and credentialed risk experts performing any assessments.
  3. Confirm that the company will adhere to your specific processes and workflows. 
  4.  Review work product samples.
  5. Consider doing a limited test before signing an extended contract.
  6. Make sure you know what’s included in the price offered.
  7. Request customer referrals and follow up on them.

Outsourcing your assessment process can provide many benefits, including adding capacity when you need it, ensuring the right resources are on hand to manage the process and increasing confidence in your vendor risk assessments. Additionally, your internal resources can focus on the plans and issues best aligned to their expertise and authority.
View full post