From specialized projects to day to day operations, businesses work with vendors to improve aspects of their operations and deliver products and services to customers. In doing so, these third parties gain access to secure systems and sensitive information, which can expose companies and its customers to risk.
While an enterprise-wide approach to vendor management is often desirable, organizations frequently struggle to implement it because several barriers stand in the way of attaining the requisite collaboration across multiple business units and stakeholders. These barriers include:
- Lack of standardized and centralized vendor management processes — often leads to inconsistent vendor management activities
- No formal single point of contact for enterprise vendors — frequently limits company-wide visibility into the overall performance of vendors who work across business units
- No central repository — often creates challenges in storing and retrieving contracts and vendor-related information
- Limited adoption of vendor management policies — potentially increases exposure to risks since vendors may be engaged without executed contracts
As risk from third party access comes under increasing scrutiny from regulators, businesses must evaluate new vendors thoroughly and continue to monitor them throughout the term of service. A robust vendor management program is critical to building a proactive approach to risk management that can give businesses a competitive advantage. It is important to note that a compliant, comprehensive program is significantly more complex than simply utilizing a vendor approval checklist. Below, we outline the key components needed to build an effective and comprehensive vendor management program.
- Designation of a Program Owner. The company needs to designate someone in the organization who “owns” vendor management, including approval of vendors and ensuring compliance with the company’s approved policies and procedures. It is always a best practice to either have a separate vendor management department or a third party using compliance management system be responsible for vendor oversight. Businesses should not have a decentralized approach to engaging vendors where each manager makes individual decisions that are often based solely on relationships and not necessarily on all risk elements to the business or its customers.
- Comprehensive Policies and Procedures. The company should develop written policies and procedures to provide a solid framework for governance of vendors. These policies and procedures also provide the framework for ensuring the company operates in compliance with regulatory requirements. However, not every vendor requires the same level of due diligence. A risk-based approach creates efficiency and better efficacy in the vendor management process by requiring more diligence and effort be devoted to higher-risk vendors than moderate and low-risk vendors.
- Methodology to risk rate vendors. As stated above, the vendor management program should differentiate the diligence and documentation requirements among high, moderate and low-risk vendors. This risk-based approach plays an important role in efficiently allocating risk management resources where the higher risk exists while still maintaining compliant oversight of low risk vendors. While evaluating vendor risk, companies should consider factors like whether a vendor provides mission critical service, has access to NPI data, how frequently are their services used, etc.
- Due Diligence and Auditing. Vendor selection is the most important phase of the vendor management process and companies should strive to learn as much about a potential vendor as possible. There should be questionnaires containing comprehensive questions covering the breadth and depth of the vendor compliance aspects. The vendors should also be regularly monitored and audited using similar sets of questionnaires to ensure compliance throughout the term of service. For high-risk vendors, onsite audits may be required.
- Required Compliance Documentation. Documentation should be provided to support the vendor’s audit responses. In addition, vendors should provide qualifications about their experience, evidence of adequate insurance, licenses, references, and certification of the vendor’s compliance with applicable laws and regulations. In addition to the items listed above, information about a vendor’s security, physical access, network access, software development management, disaster recovery, termination provisions, training programs, and performance benchmarks should also be obtained from each vendor.
Regulators are extremely focused on vendor management and will continue to issue enforcement orders against companies for identified violations. Penalties for non-compliance with vendor management requirements can be substantial. In addition to the financial risks, publication of these enforcement actions can create reputational risk for an organization. These are yet more reasons to make an investment in creating and implementing a robust vendor management program.
Implementing and managing a vendor management program can be reasonably and expeditiously accomplished with end-to-end solutions currently available in the market.