Businesses often work with vendors to improve different aspects of operations. Third party exposure to secure systems and sensitive information poses a great risk to companies and their customers. Organizations commonly struggle to implement a wide approach to vendor management due to barriers such as lack of standardized and centralized processes, no formal single point of contact, no central repository, and limited adoption of vendor management policies.
Businesses must evaluate new vendors thoroughly and continue monitoring throughout the term of service. A strong vendor management program is critical to building a proactive approach to risk management.
Designate someone in the organization to be responsible for vendor management, including approval of vendors and ensuring compliance with the company’s approved policies and procedures. Have a separate vendor management department or a third party be responsible for vendor oversight, as a centralized approach will allow managers to build relationships with each vender. You do not want to focus on risks alone.
Policies and Procedures
Develop written policies and procedures to provide a solid framework for governance of vendors. These policies and procedures should also outline how the company operates in compliance with regulatory requirements. However, not every vendor requires the same level of due diligence. A risk-based approach requires more diligence and effort be devoted to higher-risk vendors than moderate and low-risk vendors.
Risk ranking is important for your vendor management program, to differentiate the diligence and documentation requirements among high, moderate and low-risk vendors. This risk-based approach plays an important role in efficiently allocating risk management resources where the higher risk exists while still maintaining oversight of low risk vendors. Consider factors such as whether a vendor provides mission critical service, has access to sensitive data, and how frequently are their services used.
Due Diligence and Qualification
Vendor selection is the most important phase of the vendor management process and companies should strive to learn as much about a potential vendor as possible. There should be questionnaires containing comprehensive questions covering the breadth and depth of the vendor compliance aspects. The vendors should also be regularly monitored and audited using similar sets of questionnaires to ensure compliance throughout the term of service. High-risk vendors may require onsite audits. Documentation should be provided to support the vendor’s audit responses.
All vendors should provide qualifications about their experience, proof of insurance, licenses, references, and certification of the vendor’s compliance with applicable laws and regulations. Information about a vendor’s security, physical access, network access, software development management, disaster recovery, termination provisions, training programs, and performance benchmarks should also be obtained from each vendor.
Implementing and managing a vendor management program can be reasonably and efficiency accomplished with well rounded solutions.