Multipart article

Definitive Guide to Vendor Risk Management

Try Smartsheet for Free

Nearly all organizations need to work with vendors or third-party suppliers. Vendors supply manufacturing companies with the equipment and parts for operations; for a restaurant, vendors supply the produce, meats, and so forth for your menu. Managing risks posed by a vendor a third party - not just to their own business, but to yours as well - is a critical aspect to running a successful business or nonprofit.

In this article, we’ll discuss the best ways to identify risks that vendors and third parties may pose to your business, and how to prevent and mitigate those risks. These include having strong vendor relationship management practices in place, as well as identifying and activating vendor risk management systems. We will also look at the types of risks that vendor actions and behavior may bring to your company, and how best to protect your organization and reputation.

Three prominent vendor risk management experts will also share tips and best practices in a variety of fields, including the medical field, where HIPAA compliance can be a huge risk. The experts also provide advice on how to pick a vendor for the first time to help minimize risk, as well as ongoing processes that can keep third-party risks in check.

What Is Vendor Risk Management and Vendor Relationship Management?

It’s important to understand who or what a vendor is in the context of business projects and goals. Vendors and third parties to any organization can provide a small, one-time need for a single project, or can be an ongoing business partner. Common vendor scenarios include:

  • A seller in the supply chain of a piece of equipment a company needs. For example, a company who makes electrical outlets and sells them to a car manufacturer.
  • An individual who sells his or her services to a company for a one-time or ongoing need. For example, a landscaper hired to do a grounds cleanup for a company once, for a fixed amount of money (and this could also lead to an ongoing vendor relationship).
  • Anyone who provides a good or service to an organization. These can be companies or people who provide supplies, services, consulting, and any other goods, once or for a long-term period.

Vendor management is a company’s oversight of the relationships with the vendors, from acquiring them through the delivery of the required goods and services onto the final evaluation. The person in an organization who oversees these relationships is called a vendor manager and can reside in any segment of the business from human resources to supply chain. However, other stakeholders or employees in the organization may manage the relationship more directly on a day-to-day basis.

Vendor risk management is an important component of vendor management. Vendors and third parties can pose many risks including financial, reputational, compliance, legal, and more. Therefore, it’s always in a company’s best interest to protect itself from vendor risks - before entering into, during, and even after the vendor relationship ends.

A vendor risk management plan is an organization-wide plan that outlines the types of behaviors, access, etc. that both company and the vendor have agreed on. This document should reflect deep consideration by both parties. Furthermore, the plan details required testing and insurance in order to maximize the vendor’s ability to do his or her job, but without compromising the company in any way. Depending on the vendor and service or material provided, these relationships may be spelled out step by step, with checklists, to ensure that all steps are followed. The entire organization must buy into the process, and it should provide visibility to the compliance, HR, and legal teams as needed.

Who Are Third-Party Vendors? Assessing Your Vendor Risk Landscape

As mentioned above, vendors can be virtually anyone doing business with your company. These third parties can include:

  • Manufacturers and suppliers (everything from construction materials to cafeteria food).
  • Service providers, including janitorial services, paper shredding services, consultants, and advisors.
  • Short-term and long-term contractors. Managing risk means ensuring consistency and visibility, so it’s crucial to hold short- and long-term contractors to the same risk management standards. Access and other types of secure information may be different for the role a vendor plays, but regardless of the contract length, the rules around access should be the same.
  • Those of widely varying skills and backgrounds, such as IT experts, developers, designers, lawyers, real-estate developers, meeting leaders, analysts, sales teams, customer-service reps, and more. Essentially, this type of vendor is anyone who provides a service for and to the company that’s not on staff.
  • Contracts of any length. The Internal Revenue Service (IRS) has regulations about vendor and third-party relationships that go on beyond specific time frames, so even the length of a contract can pose a risk to a company. The IRS’s view is that if a vendor is working onsite, with a company email address, etc., for longer than specified periods, then that vendor or independent contractor should be classified as an employee who receives benefits. Each industry has different regulations, so contact the IRS for clarity. However, the IRS often decides that workers are employees if their situations are not clear-cut. This checklist provided by the state of Oregon can help employers decide if a worker is a true independent contractor or third party, or an employee.

This graphic portrays the life cycle of a vendor relationship:

The life cycle of a vendor relationship has a beginning and an end, although after the conclusion of the contract, both parties can revisit, renew, or sign a new contract.

Ensuring Proper Vendor Relationships: Who Oversees What?

When beginning a vendor relationship, make sure that your vendor and third-party relationship complies with the overall governing body that oversees your specific relationship. Different verticals and companies are governed by different vendor guidelines. Here are a few of the governing bodies you may need to work with, depending on your industry:

For health-related vendor risk management, it’s critical to make vendors sign a Business Associate Agreement (BAA).

Companies Can Face Vendor Risks Through Their Actions and Relationships

Companies can face a host of risks by engaging in business with a vendor or a third-party. Especially where confidential, sensitive, proprietary, or classified information is involved, companies can be taking a huge risk by entrusting data to an outside entity. Here’s a sampling of the types of risks that vendors can pose:

  • Breach of legal or compliance regulations, especially with governmental, financial-sector, and military contractors.
  • Breach of HIPAA (the Health Insurance Portability and Accountability Act) regulations that require protected health information (PHI) to be secure.
  • General legal issues, which can result in lawsuits, termination of relationships, loss of work, and more.
  • Data security, since companies must determine which vendors get what level of access, and how. For example, Will a vendor use a company-provided laptop with embedded security to gain access to sensitive data for a project for a limited period of time?
  • Loss of intellectual property, if a vendor has access to proprietary information and compromises or steals it to use and present as their own.

These are just a few of the risks posed by vendor and third-party relationships - all of which could result in severe losses to the company, including fines if laws were broken.

Richard Lowe is a prolific writer of business-related books, including his latest, Network Your Business to Prosperity: How to Use ‘Know, Like and Trust’ to Expand Your Business. Prior to writing, he was a vice president at two consulting companies, and also served as the director of computing for all of Trader Joe’s stores nationwide. He has two decades of experience working with vendors and managing the associated risks.

“One of the many risks I’ve seen over the years is when a vendor has a longer-term relationship with a company, for example on a long-term IT project,” Lowe says. “It can be easy to slowly relax the restrictions as that vendor spends more time with your company.” He has heard of times when a longtime contractor has forgotten a key card, for instance, and an employee, because she is familiar with him, simply lets him in the restricted door. “But it’s important to be as rigorous a year into the relationship as you are on the first day,” Lowe adds. Otherwise, that vendor may end up with access he’s not entitled to, and that is where the risks can begin.

 

“Always require that vendors carry professional liability insurance, and vet them for criminal background checks. The more information a company can have about the third parties they work with, obviously, the better.” - Richard Lowe, Principal, The Writing King

Security protocols are especially critical in the IT and technology fields. “A vendor should have to use a more secure VPN line and not just automatically get access to a company’s own network. Make sure to change passwords regularly, and provide vendors with just enough access to get their job done, but no more,” Lowe says.

Having the company IT personnel conduct spot checks of access, proper equipment use, etc., is critical. However, Lowe advises that it’s just as important for a company to follow all of its own procedures, as well as demanding that vendors do, too.

“In many cases of a security breach, someone didn’t follow their own advice,” Lowe explains. So it’s not enough to have a good list of security protocols if the company and managers are lax about enforcing them.

Managing Vendor Risk in Healthcare

In health care, risks can be enormous, says, Michael Herrick, CEO and Founder of HIPAA.host, a risk-security company based in Albuquerque, N.M. The company is focused solely on HIPAA compliance and managing risk in the healthcare industry.

“The guidelines about health information and privacy are spelled out clearly on the Department of Health and Human Services website, but that’s only part of the picture,” explains Herrick. “A stolen credit card number is just a minor hassle and consumer protection laws ensure you'll get all your money back very promptly. But if your healthcare records are compromised, it can affect your medical care, ruin your credit, and take years to straighten out.”

 

“A stolen credit card number is just a minor hassle and consumer protection laws ensure you'll get all your money back very promptly. But if your healthcare records are compromised, it can affect your medical care, ruin your credit, and take years to straighten out.” - Michael Herrick, CEO of HIPAA.host

Herrick says that any vendor handling health-care information covered by HIPAA could put a hospital or medical center at risk. “This includes the FedEx person, people managing information in the cloud - more people than you might think.”

Herrick knew of one case where a paper-shredding security company was working as a vendor to a hospital. After it had picked up its load of classified, protected papers to take back to its facility to shred, the shredding-company truck was involved in a minor car accident that resulted in thousands of papers carrying sensitive information spread across the countryside. In another case, a woman had her health information stolen by another woman who used the first woman’s identity and insurance to receive expensive health care. Even after it was sorted out, the first woman could not access any of the relevant information to come to a resolution, since it was determined that she was not the actual patient. This point prohibited her from getting any of the information on the second woman’s expenditures because of HIPAA regulations.

Vendor Risk Management Benefits: The Underpinning of Any Successful Vendor Risk Management Framework

Dexter Siglin, Senior Vice President of Marketing and Business Development at Net(net), has deep experience assessing and managing vendor risk in the IT world. At a high level, he says, companies can be at risk for not creating an overall methodology or framework for managing vendor risk.

 

“Without an evidenced-based way to gather and measure ongoing vendor performance, they (vendor managers) lose leverage they may have otherwise had to change the vendor’s behavior in a meaningful and impactful way.” - Dexter Siglin, Senior Vice President of Marketing and Business Development at Net(net).

“Most companies have a few subject matter experts who will take it upon themselves to be the watchdog over their area of expertise, but what is lacking by many is an overarching strategy that constantly measures and evaluates the risk across their most ‘strategic vendors,’” Siglin explains. “Without an internalized practice to manage risk, they end up with a poor mix of results due to ad hoc requirements, inconsistent metrics to measure, lackluster staff adoption, and no ongoing action plan to mitigate the results when they are substandard. Most importantly, without an evidenced-based way to gather and measure ongoing vendor performance, they (vendor managers) lose leverage they may have otherwise had to change the vendor’s behavior in a meaningful and impactful way.” In addition, he notes that companies without a vendor risk management platform or framework expose themselves to becoming a victim of predatory vendor practices.

Every vendor risk management framework should be companywide, he says, and should include these factors:

  • Planning ahead, so that addressing risk takes less time and fewer resources.
  • Spelling out accountability from both the company and the vendors.
  • Creating a plan so that, if followed in every instance, the risk is reduced to virtually zero - as long as everyone follows the plan each time.

Creating an Effective Vendor or Third-Party Risk Management Framework

To create an effective program for managing the risks posed by vendors or other third-parties, experts advise being thorough and applying the same criteria to all vendors - adapted, of course, to the type of work the vendors are doing. They suggest following these steps:

  • Recognize and spell out all challenges. In this era of cloud computing and regulatory adaptations, security and compliance are constantly changing. Spell out the cost, the regulatory and compliance bodies, and the amount of resources required to manage the relationship and potential risks.
  • Ensure that the entire corporation is on board with the plan and that there is buy-in from the top executives.
  • Ensure that all third-party contacts address the “right to audit” as well as security requirements.
  • Spell out how monitoring will occur, how reviews and feedback will be conducted, and how risks will be both identified and resolved.

Vendor Risk Management Maturity Model: How to Create and Use One

In creating a strong vendor risk management framework, it’s important to have a working tool, or maturity model, that can help third-party vendor managers assess where and how third-party risks may lie, and where a company’s focus and resources should be prioritized.

A vendor risk management maturity model has two important functions:

  • As a tool against which a manager, executive or other third-party vendor manager can identify and evaluate needs and potential risks.
  • As a living document to measure the relative development of maturity in components in a risk management program, such as determining how various programs and departments are stacking up, where resources should go, and if improvement has been made.

The components in a vendor risk management maturity model include an overview tab, where you can rank various parts of a company according to maturity levels, programs and policies, governance, and contracts.

Creating a Third-Party or Vendor Risk Management (TRPM) Checklist

When you are ready to hire a new vendor or third-party provider, it’s time to begin your due diligence. Also called a “vendor assessment,” this research should be conducted before entering into the contract. These are the critical steps:

  • Ask for a list of references from the third party’s trusted, prominent clients
  • Ascertain whether the vendor is financially solvent (request most recent financial statements if needed)
  • Verify they have liability insurance
  • Verify whether they have the necessary additional licensing and regulatory compliance, such as HIPAA training, governmental security clearance, or financial regulatory compliance
  • Conduct a background and criminal check, including any complaint history from the state attorney general, the Better Business Bureau, etc.
  • Assess whether the vendor can deliver the expected level of service — determine if the vendor have the proper security controls, technology architecture and expertise
  • Review the terms of the contract including terms, renewal/notification requirements, required service levels, etc.

Top Features to Consider in a Vendor Management Software System

When shopping for a vendor management system or software, the main feature your business will likely need and look for is the solution’s ability to integrate easily into your existing tools and systems. Here are some specific things to consider when considering different brands of vendor management tools.

Download Checklist Here

Be sure to spell out how you will conduct ongoing check-ins and measure efforts. There should be accountability and transparency on both sides.

Vendor Risk Management Best Practices

For vendor risk management to be successful, experts say, it’s critical to follow these best practices:

  • Consistency: There is no point in having a policy if the company managing the vendor doesn’t follow the protocols, says Richard Lowe. “Breaches by vendors almost always are caused by someone’s failure to enforce their already-existing rules and protocols.”
  • Transparency: Third parties need to know exactly what you expect, and when, so that they can meet or exceed the terms of the agreement. No vendor (or company manager, for that matter) should have to guess what actions or accesses might pose a risk.
  • Ethics-compliance: Having done the due diligence of the governing bodies as well as the company’s stated ethics practices, it should be clear which types of activities have a zero-tolerance policy and so on.
  • Agreement on Processes: Decide early on how risks will be identified, monitored, and reviewed, and who is responsible.
  • Ongoing Relationship Management: Cover every step of the relationship, from the bidding process through termination of project and relationship.
  • Set Timeframes and Measurements: Spell out all check-ins, schedules, deliverables, and how they will be measured.
  • Industry-specific Details: Pay extra attention to verticals with special requirements and compliance such as the government, the military, the financial sector, healthcare, and cyber-security.

How to Address a Vendor Breach and Rectify the Issue

There are endless ways a vendor can put a company at risk, from active criminal acts like theft or consciously leaking confidential information, to accidental issues like not taking appropriate security precautions. Delays in the schedule, failing to fulfill contracts, going over budget, and cutting corners on a project can also result in company damage.

If the vendor risk management framework detailed above was put into place at the beginning of the project, the company needs to act quickly to follow the already-laid-out protocol for the outlined consequences. These can include anything from a reprimand to termination of the third-party relationship to legal redress. The best way to manage risks vendors pose is to identify a protocol early on that mitigates or even eliminates those risks.

How to Choose the Right Vendor Risk Management Software for Your Company

Dexter Siglin of Net(net) believes technology is a critical component to ensuring compliance and risk management. He says it’s best to regularly audit any software vendors’ services.

“Within many companies, the top 10 technology suppliers comprise 70 percent or more of the IT budget, and of those top 10, most have something to do with software,” Siglin says. “These vendors typically know which customers have risk management practices in place – and those that don’t. Of those two, which would you guess gets hit with audits and have penalty exposure that can run into the millions in the blink of an eye? It’s the latter, of course, because vendors know where the path of least resistance is.

“But if you have a risk management practice in place, you are likely prepared for an audit and can easily defend it,” Siglin continues. “More to the point, [you’ll] have additional leverage to drive desired performance in other areas with the same vendor. At a minimum, a company without a formal practice can and should consider a SaaS tool that has risk management KPIs, service level agreements, and watchlist items built-in, that can be applied to their most strategic suppliers - and start measuring immediately.”

Siglin says that these software solutions “are typically inexpensive and purpose-built, so companies don’t necessarily need to spend millions on consultants to tell them what a simple tool with a built-in methodology can do for them now.

“The results we see are amazing, after even a few short months of measuring and seeing the results of just a few KPIs on a strategic vendor. Measurement turns perceptions to reality and results from anecdotal to fact-based. Only then can you start to consider that your risk is managed,” Siglin adds.

Vendor risk management software should be:

  • Adaptable and scalable to your industry
  • Easily updatable as compliance and regulations change in your industry
  • Easily sharable within your company to achieve the transparency and buy-in
  • Scannable so that it’s easy to identify where risks may lie so that action may be taken quickly

Key features to consider when shopping for effective vendor risk management software include:

  • Customizable assessment forms
  • Intuitive scoring methodology
  • Options to add categories such as health and safety incidents, conflict of interest declarations, or audit forms and outcomes
  • Shareable dashboards for all stakeholders to view
  • The ability to perform ongoing analysis
  • The capacity to create and host documentation
  • Industry accommodations (tailored to government, environmental regulations, healthcare, etc.)

Vendor Risk Management Educational Opportunities

There are dozens of entities and resources available for businesses and others who do business with vendors and third parties. Since working with other people and groups involves risk in and of itself, it’s critical to have as much education as possible, and to encourage the same of your vendors. Here are some helpful resources:

Use Smartsheet Templates to Manage Vendor Risk Management

Smartsheet is a work management and automation platform that enables enterprises and teams to work better. Its customizable spreadsheet interface with powerful collaboration features allows for streamlined project and task management. Plus, you can use Smartsheet’s vendor management template to store vendor information and view and manage multiple vendor relationships simultaneously.

Visually track project timelines in Gantt View, and quickly assign team members to manage each vendor. Vendor managers will appreciate the real-time updates and email alerts that keep the team informed and up to date. And with Smartsheet’s mobile app, you can easily get in touch with vendors or team members in the field.

Try Smartsheet Free for 30 Days

To learn more about vendor management, check out the Definitive Guide to Vendor Relationship Management.
 

Definitive Guide to Vendor Risk Management

Try Smartsheet for Free