Tips for third-party vendor management
As a component of enterprise risk management, Companies to adopt formal vendor-management policies that outline procedures for:
- Identifying and ranking vendors
- Selecting vendors
- Assessing vendor risks
- Performing due diligence
Ensuring appropriate language and requirements are included in vendor contracts
Vendor management challenges and solutions
1. Lack of accountability with outsourcing
Problem: Companies often outsource vendor management, especially when they have limited internal resources. But outsourcing can result in a lack of accountability: Who is responsible for maintaining security and regulatory compliance? And if there is a security breach, who will be held accountable?
Solution: Open communication: A balanced approach where the company’s team and vendors share responsibility and maintain open lines of communication to prevent confusion and promptly address problems that arise.
2. Inadequate documentation of the vendor partnership
Problem: When companies fail to properly document their vendor relationships — when there’s no integrated system of documenting and archiving such information — that information can be lost when key personnel leave the company.
Solution: Use software to create an online system for accurate documentation of vendors that tracks any changes in vendor operations, financial health, business practices and regulatory compliance to ensure they meet evolving standards.
3. Failure to conduct vendor reviews
Problem: Inadequate vendor reviews invite negative consequences and can lead to underperformed controls around understanding issues with third-party vendors.
Solution: Perform routine vendor reviews based on an established framework for the review process and document archival.
4. Insufficient communication with vendors
Problem: Companies outsource responsibility to third parties without establishing communication channels and reporting mechanisms.
Solution: Create a vendor-management team that includes a management-level member, IT and compliance personnel and other staff who directly interact with vendors. A designated team that oversees vendor management and maintains communication channels allows personnel to hold one another accountable and collaborate to resolve problems.
“Finding the right group is important,” Perry said. “Don’t rely on just one person to do all of it, it’s always better when you have a team.”
5. Unclear scope of services
Problem: When leadership or the vendor-management team don’t have a clear understanding of a vendor’s responsibilities, essential tasks might not be completed and preventable risks might be overlooked.
Solution: Align the vendor’s role and responsibilities with your company’s values, strategic goals and compliance requirements. Clearly define and document the services the vendor provides.
Each company or organization will have a vendor-management system designed to meet its specific goals and objectives, but it is essential that any such system defines the vendor’s scope of work, documents transactions and provides for regular reviews.