Welcome to this week’s Third Party Thursday! My name is Brittany Padgett and I’m the Content Strategist here at Venminder.
In today’s session, we’re going to discuss the fundamental 6 elements of vendor management. We’re going to dive a little deeper into what each one means and some ways to incorporate these pillars into your program.
- The first pillar is Selecting a Vendor. It’s essential to have a strong process for selecting new vendors as needed. Some documents and information we recommend you consider include:
- Do a secretary of state check
- Research for customer complaints
- Conduct an OFAC check
- Review their business license
- Simply scan the internet for negative news. It’s very easy to set up Google news alerts to assist with this.
- Confirm their tax ID #
- And run a D&B report
Doing these 7 things will help give your organization a solid foundation of information to help you determine if the vendor aligns with your strategy and, ultimately, your goals. Of course, this process is dependent on your organization’s vendor management policy, so you may want to consider additional due diligence.
- The second pillar is the Risk Assessment. This is essential to evaluating the risk a vendor poses to your organization. Remember, you want to determine the business impact risk, aka if the vendor is critical to the organization or not, and rate the categories of regulatory risk, such as strategic, financial, reputational, etc. Usually these ratings are low, moderate and high risk.
- The third pillar is Due Diligence. This step is critical to a successful relationship. Request essential due diligence documents, like a SOC report, financials, information security documents and do a thorough review. It’s important to not have a check-the-box mentality and to have a subject matter expert perform the analysis.
- The fourth pillar is Contractual Standards. In this step, you’ll want to make sure the contract includes exactly what both parties are setting out to accomplish by entering into this contractual relationship. That means the vendor’s responsibilities and your responsibilities. Consider the following:
- Any negotiation that needs conducted
- If the contract is to end, what does the termination process look like. In other words, notice periods, the return of data assets and transition and exit strategies
- Also, keep in mind the entire lifecycle while outlining responsibilities
- The fifth pillar is Reporting. Reporting should be standardized and comprehensive. You’ll want to produce reports that can be presented to senior management, the board and examiners.
- We’ve finally made it to the sixth pillar which is Ongoing Monitoring. Unfortunately, ongoing monitoring is an often-forgotten step in vendor risk management, but it really shouldn’t be. It’s very important! Your regulator expects your organization to revisit and fully analyze your vendors on a periodic, ongoing basis. Not just during vendor vetting. This helps eliminate unknown risk and can assist with things like the following too:
- Discovering potential areas of concern
- Identifying gaps in the contract
- Noticing weak financials
- Finding a decline in service levels
- And learning about any faulty security controls
So, as you can see, ongoing monitoring is essential to protect your organization and customers.
When you combine all of these pillars, you’re looking at a very structured and strong vendor management program.
Again, I’m Brittany and thanks for tuning in to this week’s Third Party Thursday; if you haven’t already done so, please subscribe to our series.