When it comes to setting a budget for vendor management, some organizations try to say they have no budget. This may come off harsh, but that can't be right. You can’t spend $0 on proper – proper being the key word here – vendor management.
Other organizations aren't sure how much they should be spending or what they should request from their budget committee to give them what they need. So, let's go over some items to consider when setting a vendor management budget.
6 Vendor Management Budget Considerations
1. Employee salary expenses
Sure, you need a team to do it right? It’s sometimes difficult to hire enough of the experienced and highly qualified professionals you need. Another cheaper option is outsourcing a particular part of a function, such as the review of a SOC report, to an external expert.
2. Subscription-based resources
A best practice is to make sure you have a team with the qualifications and time available to address each of the six pillars of third party risk management. To supplement their efforts, you’ll likely need subscription-based resources like an automated monitoring platform that is looking for any negative news, complaints or significant changes in your third parties. Google News alerts simply aren’t enough these days.
You may be wondering how much something like that can cost. It varies, depending on the provider you choose. However, do your due diligence. Find the best subscription-based product for your organization, at a price that is within “budget” and weigh the pros and cons. If catching something sooner rather than later saves your organization from a third party data breach, or something like that, think about all of the underlying cost you save.
3. Required due diligence documents
Those always include items like OFAC checks, Secretary of State checks, Dun & Bradstreet reports, LexisNexis searches and more. As far as some insight on pricing goes, it’s difficult to give exact, or even ballpark, pricing as it will vary greatly. It truly depends on the company you choose and their quality, any volume discounts, etc.
However, to save cost, you can choose to keep this in-house as you can do some of it yourself at a nominal fee. For example, you can pull a secretary of state check on your own and you can run an OFAC check on their website.
4. Ravel expenses associated with making an on-site visit to your most critical vendors:
There’s a real investment of both salary and travel expenses in doing those sorts of visits. These visits are worth the money though because this is an opportunity to accomplish the following:
- Test the vendor’s physical security controls at their location
- Interact with staff you normally wouldn’t which could help with grooming a better vendor relationship long-term
- Shows the vendor you take third party risk management seriously and need their undivided attention to address issues important to you
5. You should also consider the expenses associated with keeping your team well-educated by attending webinars and conferences:
As far as conferences go, Risk Management Association (RMA), Global Financial Markets Intelligence (GFMI) and Marcus Evans – to name a few examples – are great, and all have focused conferences. You typically can expect to spend somewhere in the ballpark of $2,500 between registration and travel. The amount will fluctuate. The amount will fluctuate heavily depending on the type of conference, where you have to travel, how many people you’re planning to send and the duration.
And, of course, we recommend our educational webinars and online bootcamps. They’re free and you can earn CPE credit! Check out what’s upcoming here.
6. Engage an audit firm or other experts to occasionally review your program and its performance:
This will help identify, document and provide an opportunity to remediate any problems prior to an official regulatory examination.
Remember, take credit for the investment of time, talent and resources and show your examiner the organization is marking a real effort throughout the year by spending actual money on these items. Yes, all of these steps have costs, but it’s a proactive way of protecting your organizations and your customers.
In addition, it’s preventative measures from receiving any type of enforcement action – reminder, those could cost you significant amounts as organizations typically receive things like large penalties/fines, sometimes mandatory monetary relief to customers for any wrongdoing and even pay a great deal in legal fees to respond to and address complaints. It can really add up.
Overall, good results in vendor management usually means there’s been a focus and investment in the program.
Make sure you have all the necessary components in your third party risk program. Download the checklist.