Tips to Manage 3 Common Challenges in Vendor Management and Oversight
- November 29, 2022
- Category: Compliance Managment
If you are a growing collection business, you are bound to work with more than one vendor to improve your overall collection outcome. These vendors often get access to your systems and sensitive information, which can expose you and your customers to various compliance and regulatory risks. Not to mention, if your vendors do not take regulatory compliance seriously, you may have serious consequences, including financial and reputational risks for your collection business. Putting certain checks and balances in your vendor management practices can help you identify these gaps and mitigate risks by taking corrective actions. As our experts say, it is better to be safe than sorry.
To discuss compliance training, vendor compliance, and more, Research Assistant hosted a webinar with Sara Woggerman (Executive Director of iA Research Assistant and President of ARM Compliance Business Solutions) and Missy Meggison (General Counsel and Executive Editor at insideARM and Executive Director of the Consumer Relations Consortium). In two-part series, we have summarized key excerpts (in the form of actionable to-dos) from the same webinar. This is the second part of the series.
Challenge 1: You do not know how to assess vendor risk
Solution: To set up an effective program for vendor risk(s) management, begin with setting internal responsibilities for vendor risk and assessment, vendor audit, and vendor monitoring. Remember, there are differences between conducting risk assessments, auditing, and monitoring.
To evaluate vendor risk, the first step is to identify the correct risk parameters based on the services provided by the vendor. It is crucial to check whether a vendor provides mission-critical service, has access to NPI data, etc., and then put them in various risk categories accordingly.
Next – revisit how often you should audit your vendors. Reflect if a single yearly audit that covers the breadth and scope of all audit areas is enough to stay compliant and active. If you are dealing with a high-risk vendor, you might want to audit them quarterly. Based on the result of the risk assessment, determine the nature, extent, and timing of your audit procedures.
To continue auditing your vendors throughout their term of service, prepare a set of questionnaires covering the breadth and depth of the vendor compliance aspects such as insurance, licenses, and certification of compliance with applicable laws and regulations. If required, add additional questions about each vendor’s policies and procedures around data security, physical access, network access, software management, disaster recovery, training programs, and performance benchmarks.
As you continue monitoring your vendor throughout the year, log incidents of non-compliance by vendor(s). Document these non-conformities and take corrective actions by remediating the open items. Based on incident logs, check if an incident gets repeated by the same vendor in another 60 days. If something like this happens, consider it a red flag and take the matter to your executive management team.
Challenge 2: You lack standardized vendor management processes and policies
Solution: A solid vendor compliance framework includes having the right set of policies and procedures (P&P) on how you should screen new vendors and manage existing vendors. They let you know who will be responsible for reviewing the operation side of your vendors versus the compliance side.
If you do not have P&P for vendors, establish who should be the owner and approvers of these policies. Perhaps, the compliance leader can be the owner of these policies. These policies should document procedures to manage various aspects of vendor management, including but not limited to collecting requisitions from departments, due-diligence procedures for shortlisting and onboarding new vendors, managing ongoing vendor performance and compliance, classifying the types of vendors, assessing the risk associated with third-party vendors, and ensuring vendor performance with operational assessments.
Based on the latest incident(s), continue developing new and enhancing existing policies to maintain a solid framework for vendor governance & oversight.
Challenge 3: It is difficult to maintain proper vendor oversight
Solution: Ask yourself if you should focus on choosing a tech-enabled data-driven audit provider through integrated compliance platform or manage compliance in-house by adopting the traditional ways. List all factors you think you should assess before making that decision.
If you are willing to invest in technology, select the right technology partner who can empower you to track minutest details of crucial vendor documents (such as Licenses, Insurances, Certificates of Authority, etc.) and automate vendor documentation (with alerts for expiring documents). Other than automated documentation tracking, a collaborative technology partner through a fully managed compliance management system (CMS), can enable you to manage a robust audit calendar (with alerts for pending audit activities) for better visibility into vendor compliance. If possible, use a CMS that can easily integrate with data analytics to provide customized reporting based on the needs of your leadership as well as clients. The collation of all vendor data not only helps you in understanding the trends but also helps you input the right KPIs in the vendor scorecard.
Important message: If you are looking for top-notch vendor compliance, Provana’s automated compliance management system, IPACS, can help you ensure external compliance for vendor compliance and more. IPACS evolves as per the ongoing regulatory guidelines and upcoming notifications of rules, helping you to achieve overall compliance of your vendor network and get the best out of your relationship with them.