Managing Third Party Vendors
Have You Considered the Impact on Your Organization’s Risk Profile?
These days, it’s hard to find a company that doesn’t depend on third-party vendors for at least some aspect of their operations.
The scope of activities has expanded and the process of outsourcing has sped up over the past year when many companies turned to third-party vendors and other outside parties to alleviate challenges resulting from the COVID-19 pandemic. Whether providing support for new technologies, using contract labor to align resource needs with the business demands, or leveraging hybrid insource/outsource models to reduce costs, many of these operational adjustments are likely to remain in place indefinitely, creating a significant change to the company’s risk landscape.
Outsourcing may reduce an organization’s internal workload, but it does not reduce the risk associated with those activities. Third-party and vendor risk is growing in significance in today’s business environment and organizations should incorporate specific vendor risk management considerations into their overall risk management program.
An Expanding Risk
In an overview of eleven key risks that are universally critical to organizations in 2021, the Institute for Internal Auditors (IIA) identified the management of Third Party Risk as one of the top eleven risks facing companies in 2021, stating:
“For an organization to be successful, it has to maintain healthy and fruitful relationships with its external business partnerships and vendors.”
The IIIA report recommended these steps for managing this risk:
- Management should ensure that a comprehensive list of third-party arrangements is maintained and that a risk-based approach is developed and followed to procure and monitor third-party relationships.
- The Board should evaluate internal audit plans to ensure that adequate resources are allocated to third-party risks. Set expectations that management periodically communicates the status of key third-party relationships.
- Chief audit executives should periodically and regularly evaluate management processes related to establishing and monitoring third-party relationships. Consider including engagements to review third-party relationships that are operationally or strategically important to the organization.
Vendor Management
Vendors are a necessity in today’s global economy, but they require regular and ongoing monitoring. Since outsourcing usually reduces the ability to control and mitigate risk, strategic monitoring allows companies to identify issues before they significantly impact their operations.
As they review their risk management practices, internal audit and management teams need to consider incorporating monitoring and other practices into their overall risk management structure.
Vendors present a risk to organizations in multiple ways, but four risk categories stand out in our experience. Based on an understanding of the following four major categories of risk, organizations can align their risk management activities with the specific risks each vendor presents.
A strategic risk negatively impacts overall organizational objectives or makes them unachievable. For example, vendors that have access to proprietary data or are a primary distributor may impact your strategic goals and objectives.
Many times, these vendors are integrated in large strategic initiatives or are a key component of a business or market strategy. For example, an ERP application implementation vendor is highly involved in setting the operational effectiveness and efficiency of the company, whether for good or ill, for many years to come.
“Weaver worked with a client that had planned to implement a new ERP system that was intended to enhance processes and efficiency across the entire organization. The change was promoted to the employees and even publically a strategic business change. Ultimately deadlines were missed, the individuals working on the engagement for the vendor turned over regularly and the result was a poor implementation that required a significant volume of work after the fact to correct errors, issues, and redesign processes.”
A reputational risk means poor service from third parties with customers or stakeholders which is inconsistent with your overall standards. For example, a contractor operating under your company’s logo presents a risk to your company’s repuation. Any issues or mistakes from the contractor may lead to customers and partners no longer viewing your company favorably.
These contractors may be specialist service providers that operate in tandem with your personnel. The perception is that these individuals are part of your team and subject to the same training and requirements as your direct team, which is not always the case. Mistakes from these vendors may reflect on your company’s reputation.
A compliance risk means activities performed by the vendor do not comply with legal or regulatory standards. Many times, the compliance risk and any restitutions or notification requirements stay with the operating company even if the functional activity is “outsourced” to a vendor.
For example, if your data warehouse provider is breached and sensitive personal information is leaked the burden of notification still resides with the you, the operating company, and not the provider.
An operational risk is the inability of vendors to execute their activities, preventing the organization from achieving its goal. This risk may result from technology failure, inadequate financial capacity to fulfill obligations or provide remedies, and fraud or error.
For example, a vendor that provides substantially all of the raw goods for a key process could potentially stop your operations if the vendor has a business interruption or suddenly ceased operations.
There are also emerging risks, including cybersecurity, privacy and breach response, data dispersion and vendor concentration.
Vendor Acceptance: Start At the Beginning
Evaluating vendors appropriately and thoroughly at the time they are engaged is one of the most effective vendor risk mitigation activities. However, the vendor acceptance process is often overlooked, shortcut, or just ignored. It shouldn’t be.
At a minimum, these questions should be asked and answered:
- Do we need a new vendor for this?
- What is the vendor’s reputation?
- Is this vendor qualified?
- Can they meet our needs long-term?
- Will they hold or have access to our data and records?
- What issues have we had with similar vendors in the past?
There should be an individual who ‘owns’ the relationship with the vendor and is responsible for reviewing the contract. This is the time to ask questions about how the vendor will be managed, invoices will be reviewed, and service delivery will be evaluated. Ask questions like:
- Who is going to “own” the relationship with the vendor?
- Has the owner successfully managed a vendor of this size and magnitude?
- Does the owner understand the terms of the contract?
- Are they prepared to hold the vendor accountable?
- Do they have the bandwidth to effectively manage a new vendor?
Now that you have selected the vendor, how should your vendor management program be designed? Here are some of the key steps in developing an effective vendor management program:
- Risk Assessment. Start with a risk assessment to understand the themes within your vendor population.
- Classify Vendors. Based on the risk profiles generated from the risk assessment, group vendors in classes that allow you to align management activities with the risk presented to the organization.
- On-board Vendors. Have a process to bring new vendors up to speed on the expectations and any systems they are expected to use.
- Standardize Vendor Contracts. Based on the classification of the vendor, develop standardized contracts or contract language that ensures protections are in place to mitigate against the risks presented by the vendor.
- Define an Evaluation Program. Develop a suite of criteria for vendors to be evaluated against and weight the criteria to align to the items most critical to your business.
- Monitoring Vendor Performance. Have a process to solicit feedback based on the defined criteria and understand the vendor’s performance.
- Audit the Vendor. Develop a program of vendor audits that occur within their environment to ensure the expected controls are operating effectively.
- Evaluate Independent Discount Programs. Develop a process for either internal or external resources to independently validate any large discount or rebate programs.
As you develop your program, be aware of some of these pitfalls in vendor management programs:
- not managing contract execution authority;
- not including or exercising the vendor audit clause;
- assuming that because the vendor is large, it has strong controls in place;
- not reassessing vendors on a periodic or continuous basis;
- viewing the Procurement function as the same as the Vendor Management function;
- leaving certain vendors out of the management program because they are “low risk;”
- not budgeting an effective management function;
- leaving out liability limitation and mediation clauses in contracts;
- not defining termination procedures (including how data is destroyed/returned);
By following this process for developing strong vendor manage programs to manage third-party vendor risk, organizations will find themselves much less vulnerable to unexpected events that can threaten success.
As your company works to improve its third party vendor management program, contact us for information or assistance. We are here to help.
© 2021