Elements of an Effective Vendor Risk Management Program
In recent years, many businesses have shifted from complex, inefficient, in-house-oriented processes to a leaner, agile environment by deploying an outsourced strategy. This change can have many benefits to the business including decreased cost, increased productivity and increased flexibility based on company needs. While the benefits appear obvious, the risks associated with these relationships and how to effectively mitigate them often remain less clear.
The risks which need to be mitigated can reside at the third-party vendor, within the organization or both. There a range of associated risks, including:
- Financial Stability
- Financial Reporting
Increasingly, management is leveraging their internal audit function as a resource to assist them with third-party vendor risk. How does internal audit help? Internal audit is tasked with testing the program that management has developed and implemented while providing value-added feedback. Vendor management is a strategic process that is dedicated to the sourcing and management of vendor relationships, while maximizing value creation and minimizing risk to the enterprise.
A proper vendor management program provides guidance on how to address new or existing vendors and typically includes:
- Formal Policy and Procedure Documents
- Vendor Selection Due Diligence
- Vendor Onboarding
- Ongoing Vendor Monitoring
- Vendor Termination
- Proper Issue Escalation
Once a third-party is determined to be needed, proper due diligence should be executed prior to selecting a vendor. A formal RFP process and approval should be conducted to ensure the appropriate vendor is selected. Credit checks, background checks and in-depth questionnaires assist in mitigating the financial, legal, compliance, and reputational risks.
After due diligence is conducted and a vendor is selected, an executed contract is needed prior to accepting services. The onboarding of new vendors ensures the company and vendor have necessary information and capabilities. An effective vendor management program includes ongoing monitoring activities over the existing vendors. This includes the following:
- Statement on Standards for Attestation Engagements (SSAE 18)/End-User Consideration Review
- Contract Management Procedures
- Vendor Listing Review
- Service Level Agreements (SLA) Review
Many times in reviewing an organization’s vendor listing, it is determined a third-party vendor is no longer needed and proper termination procedures should be followed to mitigate security risk. The organization needs to completely terminate the vendor from all applications to ensure there is no loss of important data.
The final part of an effective vendor management program is proper issue escalation. If there is an issue, how should it be escalated and to whom? A suitable process can help mitigate the total loss in an incident, because proper actions can be taken quickly and appropriately. On an annual basis, the escalation process needs to be reviewed and tested to ensure it remains current in both design and operation.
A proper vendor management program framework aids in addressing the administration of third-party relationship, is updated for new industry or regulatory standards and reviewed annually. With the growing number of third-party vendors utilized within business functions, proper vendor management programs are essential in maximizing value while minimizing risk.
PRTS Intelligence Newsletter - Q1 2019