It's no secret that for many organizations, the time and resources for vendor relationship management are stretched thin. This is especially true when vendor inventory numbers are in the hundreds or even thousands, so it’s best to determine which of your vendors (or other third parties) can be safely excluded from third-party risk management (TPRM) activities. However, it may not always be obvious which of these relationships should be in or out of scope. The good news is that organizations can use some tried and true guidelines to determine who should be in scope for vendor risk management. Read on to learn more and help ease the burden of your TPRM responsibilities.
Regulatory Considerations for Vendor Exemptions
Those in regulated industries know they must meet the requirements of established TPRM guidance. However, this can be a bit tricky when regulations are potentially changing. As this is being written, the financial industry in particular is still waiting for updates to the July 2021 Proposed Interagency Guidance on Third-Party Relationships. The proposed guidance dramatically expands the definition of "third-party relationship" as "any business arrangement between a banking organization and another entity, by contract or otherwise." And while this proposed guidance is specific to the financial industry, those regulations greatly influence and shape all vendor risk management best practices. Don't worry; even with the uncertainty and potential regulatory changes, you can still develop a sound (and defensible) methodology to define which third-party relationships are in scope for your vendor risk management program.
How to Determine Exempt Vendors
To determine exempt, or out of scope vendors, the first step is to prepare a complete list of all individuals or organizations that are paid by or have a written agreement with your organization. Your accounts payable department should be able to furnish much of this information. It’s essential to include the product/service provided or the other nature of the relationship as part of the list. Truthfully, this can be a time-consuming, but necessary process.
Once your list is complete, you can use the following questions as a starting point to help determine whether a vendor should be in scope or out of scope for your organization:
- Is this a government entity? You can eliminate any state, provincial or similar government and any body, board, department, commission, court, tribunal, authority, agency or other organization exercising any executive, legislative, judicial, administrative or regulatory functions. This also includes any organization providing safety or emergency services, such as police and fire departments.
- Is this a public utility? Public utilities such as your local power, water, trash collection services and the like are out of scope. Keep in mind that the key word here is public, as in it’s available to everyone. Don't assume that because it’s water or power it's automatically out of scope. Services meant to serve your specific organization, such as confidential document destruction, bottled or filtered water services, internet or backup power generation, are decidedly in scope for vendor risk management.
- Is this a sponsorship or donation? Sponsorships and donations are out of scope for third-party or vendor risk management. For example, sponsoring the company team for a charity walk, helping a non-profit with an event or placing an ad for the program for a high school musical don't count as third-party or vendor relationships. And, other types of donations, such as political donations, should be managed through other internal governance mechanisms and policies.
- Is this a covered travel or entertainment expense? You can exclude hotels, airlines, restaurants, transportation, etc. However, you should pay attention when a payment to an organization is classified as travel and entertainment (T&E) to ensure the type of product, service or relationship falls within T&E norms. In organizations with less stringent or mature T&E expense policies and programs, vendors are sometimes engaged under the guise of T&E to avoid time-consuming or rigorous vendor risk management processes. It happens! Be on the lookout for this scenario.
- Is this a subscription? Many types of subscriptions will be out of scope for your vendor risk management program, including one-off subscriptions for magazines, books, newspapers, digital content (stock photography, music, etc.), industry news or social media websites. Keep in mind that some subscriptions should be included in your program, especially those that provide non-public data or for risk alert and monitoring services that help you make sound business decisions.
- Is this a payee? Payees usually represent payments for non-product or service expenses. Examples include payments for a legal settlement or payments to board members or investors. These types of third parties are out of scope.
- Is this a professional association or conference? Annual dues for professional memberships and conferences should be excluded from your vendor risk management program.
- Is this a product or service offered as an employee perk? It’s becoming commonplace for organizations to offer employee discounts on various products and services—everything from tickets to the amusement park, gym memberships and even automobile purchases. Relationships where the employee directly initiates the purchase or transaction are out of scope. Keep in mind that if your organization collects payment from employees for the products or services or distributes the vendor's products or services to employees, that vendor should be in scope. Your health insurance providers, for example, should be in scope for vendor management.
- Is this a low-value vendor? Many organizations also choose to include vendors whose annual spend is less than a predetermined threshold, for example $5,000. The rationale is that many single-use vendors would fall into this category: florists, caterers, food or beverage services or even office supplies.
If you choose to exclude these vendors from your third-party risk management program, and deem them out of scope, proceed with caution for the following reason:
There is at least some risk with any vendor relationship and not every organization is as it appears. For example: small, cash-based businesses may be vulnerable to certain risks, including money laundering, health and safety violations and even human trafficking. And what if you’re purchasing a piece of open-source code where there can be a substantial risk? Not to say you should spend valuable time and resources reviewing your local bakery's financials because you shouldn't. Your vendor risk management efforts and activities should always be in proportion to the risk. However, suppose you aren't evaluating the risk because a low-value vendor is automatically out of scope. In that case, you may be missing something important.
The key here is to clearly define the products and services eligible for this type of exemption and identify how you will keep track of the spending thresholds. Consider asking questions such as:
- How will we know if spending exceeds the $5,000 limit?
- What if there is a lot of repeat business with the vendor?
- How and when would they be re-evaluated for inclusion in the program?
Other Vendor Categories Unique to Your Organization
Your organization may determine that other third-party or vendor types should be out of scope, and that’s okay. But always make sure that you can articulate and document your rationale for any out of scope decision.
Determining vendor scope is crucial for optimizing your vendor risk management program. It will allow you to direct your efforts toward third-party relationships that deserve your focus and resources.