In our final installment of the vendor risk management (VRM) series, we will cover the various stages of the vendor risk management lifecycle and provide some useful tips for each phase to optimize the program and protect the confidentiality and integrity of your organization.
When we think about vendor risk management lifecycle, the simplest way to visualize the phases is to compare it to a concept we are quite familiar with…building, managing, and ending relationships. Whether they are relationships of a personal or professional nature, our interactions will typically move through the following stages:
- Stage 1 – the discovery phase when we are learning about the other party.
- Stage 2 – the relationship phase when the connection begins to grow and develop.
- Stage 3 – the termination phase when one of the parties no longer wants to continue the partnership (note: this phase may not materialize if both parties are fully invested in keeping the relationship going).
Now that we’ve recapped the stages of the vendor risk management lifecycle, let’s take a deeper dive into the phases that each organization will encounter throughout its vendor risk management process. While procedures can vary across industries and organizations, a solid understanding of the basic framework will enable you to protect your organization from unmitigated vendor risk. As we navigate through each phase, useful tips will be provided to guide you along the journey.
Managing the Vendor Risk Lifecycle
Stage 1 – The Discovery Phase
At the start of the discovery phase, the organization has identified a business need that can be achieved via the procurement of goods or outsourced services. After building the business case and obtaining approval to proceed, the work begins on sourcing and vetting prospective vendors. Key steps during this phase include:
- document evaluation criteria;
- vendor identification, evaluation and selection;
- due diligence and contract management.
Document Evaluation Criteria
Being prepared in advance is key. Prior to initiating discussions with vendors, document your requirements down in paper. This includes identifying your key objectives and quantifying evaluation criteria in a vendor assessment checklist. Start off by capturing your preliminary thoughts about:
- the business needs and objectives (the “why”);
- the operational requirements between “must have” vs. “nice to have” (the “what”);
- estimated implementation goals and budget limits (the “how” and “when”);
- The level of importance of each requirement (the “what”).
Using a checklist format would be the most pragmatic and practical. This format will enable you to efficiently track the vendor’s responses during the evaluation process, and quickly make changes to the structure and content as the evaluation progresses.
A sample vendor assessment checklist may look something like this:
Shortlist Your Selection to Two to Three Vendors
To achieve a balance between effectiveness and resource availability, it’s best practice to shortlist between two to three vendors for comparative purposes. Even though it seems tempting to compile a massive list of vendors to be assessed (the more, the merrier…right?), the cost/benefit ratio to perform a deeper analysis of each vendor is not always feasible. If you are faced with the challenge on how to reduce your list down to a manageable limit, reach out to existing business partners and associates for further guidance and suggestions.
Unless you are strongly inclined to consider only one specific vendor because the vendor is an industry leader or operates in a market with minimal competition, having several vendors to choose from is beneficial because it:
- provides greater diversity and options for consideration (not putting all your eggs in one basket);
- offers insights on additional features or services which were not identified when the business case was originally designed;
- optimizes your likelihood of obtaining better contractual terms, pricing, and services.
Vendor Evaluation and Selection
Creating a consistent method to evaluate vendors is critical. It will ensure that every vendor is graded in the same manner and that no significant aspects will be overlooked. During this step, organizations may vary in their approach – ranging from executing a structured RFI/RFP process to more casual vendor discovery calls. Regardless of the methodology selected, it’s instrumental to leverage the vendor assessment checklist previously created as guidance when discussing your business needs with the prospective vendors.
It will be beneficial to supplement the vendor responses with a demo of the software, request for interim access to a sandbox environment to assess the functionality, or review pertinent artifacts to confirm the vendor’s adherence to financial, regulatory, or compliance requirements. For service-based offering, an organization should also consider asking for references to validate the quality of the vendor services.
Due Diligence and Contract Management
After the vendor selection has been made, the final stage would be to complete the due diligence reviews and solidify the arrangements in a contract.
Depending on the nature of the services to be provided, the organization should review these foundational documents as part of their due diligence (as applicable and relevant):
- Company information – legal name, head office address, ownership structure, tax numbers, business license, incorporation documentation;
- Ratings – Dun & Bradstreet report, credit report, BBB check;
- Government checks – OFAC/PEP checks, security clearances;
- Financial and security checks – financial reports, SOC report, trust center artifacts, certificate of insurance.
Having a good handle on your contracts will save time and money. Well defined and executed contracts are the best protection against unexpected headaches and problems in the future. You should ideally have a set of standard vendor templates which will help streamline negotiations and set expectations to protect your organization from various aspects of vendor risk.
Start with either your’s or the vendor’s templates to initiate negotiations. At a minimum, the standard set of agreements should include the following:
- Service Level Agreement – defines the terms and conditions, including scope of work or goods to be provided, timing of services, payment terms, responsibilities, renewal and termination, indemnification, right to audit, and enforcement clauses;
- Mutual Non-Disclosure / Confidentiality Agreement – a binding contract between two or more parties that prevents the disclosure of sensitive corporate information from being shared with unauthorized parties;
- Acceptable Use / Security Addendum – outlines the rules and obligations of the vendor to protect the organization from inappropriate use of assets, safeguards to reduce risk of cyber-attacks, and hold the vendor accountable for maintaining compliance with regulations and standards.
There are plenty of examples available online that an organization can leverage to design their own. Depending on the nature of your business and industry in which the organization operates, it would be prudent in some cases to engage external legal counsel and technical expertise to design clauses that are regulatory or compliance in nature. With evolving cybersecurity and privacy mandates, online templates may be insufficient or not updated to reflect compliance with current laws and regulations. After the contracts are successfully signed for the parties, it’s equally important to keep the contracts organized and centralized in a contract repository. This will support subsequent administrative tasks such as contract tracking, reviews, renewals, and updates.
Stage 2 – The Relationship Phase
Once the vendor starts providing goods or services, ongoing monitoring of vendor performance is extremely important. It’s essential to remain vigilant of any new risks which may surface over time, and keep a close watch on vendors to ensure they are performing as expected. Ongoing activities would include implementing protocols to:
- monitor vendor service and performance delivery (SLA tracking);
- validate vendor ongoing compliance with regulatory or cybersecurity obligations, including changes to these obligations (periodic assessments);
- Address any service, regulatory, or cybersecurity gaps in a timely manner (SLA remediation).
You want to position the organization to be well informed and be able to react quickly in the event of supply chain disruptions or new vendor risk exposures. Especially if changes with the vendors will negatively impact the SLA deliverables and your organization’s regulatory or cybersecurity obligations.
To accomplish a repeatable and scalable cadence for continuous monitoring activities, we suggest the following best practices:
Stage 3 – The Termination Phase
There comes a time when either the organization, vendor, or both parties are ready to end the business relationship. This scenario may arise due to various factors including vendor performance history, price considerations, or the organization has outgrown the services provided by the vendor. Depending on the role of the particular vendor in your supply chain, the offboarding may be pretty straightforward with minimal business disruptions. For business-critical vendors with greater complexity, the organization should deploy its exit strategy to ensure the relationship is terminated in accordance with contractual terms and conditions.
A vendor termination checklist may include the following workflows:
Accountability – Whom to Involve Internally
Finally, in order to mobilize these useful tips into action, we cannot ignore the topic of accountability and who internally will take the lead on the various activities. Depending on the size of your organization, the tasks may require support from multiple departments.
As a reference point, key stakeholders generally include the following teams:
- Asset owner – beneficiary teams and users of the solution;
- Finance – sourcing and procurement;
- Legal – contract negotiations;
- Information Security, Compliance, Privacy – matters related to cybersecurity, compliance, privacy, and data governance;
- IT and Operations – provide support to implement, manage, and deactivate the services.
The Vendor Risk Management Lifecycle
In our three-part series on vendor risk management (VRM), we’ve explored the pillars of vendor risk management, identified types of risks introduced by vendors and the importance of managing these risks, addressed the various stages of the VRM lifecycle, and provided useful tips and checklists to effectively manage your vendors and related risks.
Managing vendors can be performed either manually or by leveraging technological advancements, such as using a GRC or VRM solution, to streamline workflows and enhance operational efficiencies.
We encourage you to discover how you can transform your VRM lifecycle into a program that enables smarter vendor risk management decisions built on meaningful risk-intelligent analyses and proven results.
Optimize your potential to execute informed actions…faster, better, and smarter.