Third-party risk management’s foundational principle is that you can outsource the product or service, but you cannot outsource the risk. In other words, it’s your responsibility to ensure that your vendors remain in compliance. So, how exactly can you accomplish this? Before you can take steps to ensure compliance in your vendor relationships, you need to understand the risks of non-compliance.
The Impact of Non-Compliance
When your organization engages an external resource (a vendor or third party) to provide products or services, various risks are inherent in those relationships. Some of those risks are more obvious than others and the range and impact of those risks vary.
Here are 4 risks to be aware of:
- Financial: When a vendor fails to deliver the product or service as intended, there can be multiple financial impacts on your organization. Delays and rework are costly, and low-quality products and services impact the bottom line. Additionally, the expense of losing customers, coupled with the increased cost of new customer acquisition, can also have significant financial consequences. Hard dollar monetary loss resulting from legal fees, litigation awards and regulatory fines can materially impact your organization. Unfortunately, this is more common than most of us realize.
- Operational: These days, most business activities have dependencies on intersecting business processes or workflows. When vendors supporting those essential workstreams fall short, the impacts are likely felt across the organization. Your internal planning, production and delivery processes can all be thrown off or come to a standstill. Furthermore, budgeting and accounting mechanisms have to account for the issue. And then, there are the internal resources that get pulled away from the essential day-to-day processes to troubleshoot or problem solve, further magnifying the disruption. A vendor failure can very likely set off a complicated chain reaction taking a lot of time and resources to resolve.
- Reputational: Your reputation can be impacted by every product or service you market or sell to your customer. It doesn’t matter if a portion of that product or service was provided by a vendor; your organization’s reputation and brand are always on the line. Whether it is an unprofessional call center agent speaking with your customer or a marketing email with misleading or false information placed by a vendor, your reputation could be taking the hit if something goes wrong.
- Legal and Compliance: Just like any other vendor risk, you’re ultimately responsible for vendor actions that lead to infringements of the law. Regulators and law enforcement agencies may levy fines or force your organization to pay restitution to those harmed by the violation. Legal judgments again your organization in court may require large dollar settlements. In the worst-case scenarios, legal orders can prevent your organization from selling a product or service or forbid you to pursue new customers. However, it doesn’t always stop with the organization. In some instances where the organization is guilty of willful negligence, top executives can be personally held responsible or even sentenced to prison.
What to Do to Drive Vendor Compliance
The most reliable way to ensure vendor compliance is to make sure you deal with reputable and experienced organizations from the beginning. These companies understand their industry’s legal, regulatory and ethical concerns and those of their customers. They can also demonstrate their expertise and operational excellence through well-tested and documented controls. Experienced, ethical and reliable companies regard compliance as a fundamental component of doing business.
Consider the following when driving vendor compliance:
- Performing upfront due diligence: Your due diligence process must thoroughly evaluate a vendor’s control environment to determine if it’s consistent and sufficient to support your organization. Compliance isn’t optional or something the vendor can learn as they go. A suitable vendor must demonstrate how their organization operationalizes vital areas such as business continuity, information security and privacy protection. They have to prove adherence to all rules, laws and regulations while also reinforcing compliance through company policies and employee training. Weeding out vendors who aren’t knowledgeable, experienced or potentially problematic through the application of due diligence is your best first step in ensuring vendor compliance.
- Setting the foundation with strong contract management and standards: There is no more essential tool for vendor compliance than your contract. Contracts serve many purposes, with the most important one being the details of the business agreement documented in a legal document and signed by both parties. The contract essentially sets the foundation for compliance by specifying roles and responsibilities, detailed descriptions of the products, delivery mechanism, format, services, fees, pricing and payment terms. Contracts should outline performance levels and service level agreements to be reviewed regularly as part of ongoing monitoring.
High-risk and critical contracts should be written to focus on the risks inherent in the product and services. As a legal agreement, contracts should remove ambiguity around topics such as the vendor’s right to subcontract, use the organization’s or its customer’s data, responsibility to respond to customer complaints and other material issues. Finally, it should include the terms under which either party can exit the agreement. Most importantly, contracts drive compliance as they provide legal and financial remedies if the vendor should breach the agreement
- Ongoing monitoring to ensure vendors are in compliance: Just as the vendor must prove appropriate controls at the beginning of the relationship, they must consistently demonstrate a robust control environment throughout the relationship. Ongoing monitoring is the mechanism to continuously ensure vendor compliance. A regular and systematic review of the vendor’s business continuity, financial health, information security, privacy protection controls and other important areas should be done. Also consider their adherence to all rules, laws and regulations.
Ongoing monitoring also sets the stage for regular performance and business reviews providing regular opportunities to discuss any issues or emerging risks. Vendors are less likely to be non-compliant (by accident or by will) when held accountable regularly. These regular reviews are the perfect opportunity to review the contract.
- Improving vendor communication: Perhaps the most understated tool for ensuring vendor compliance is to communicate with your vendors often. Building a business relationship on trust and mutual accountability can benefit both parties.
In summary, there are several tools and methods to assure vendor compliance. Many of these tools and methods are likely embedded in your third-party risk management framework. As a first step, vetting vendors properly will set the stage for vendor compliance. Additionally, monitoring your vendor’s performance as well as adherence to the contract will reinforce expectations and the legal protections of your contract may be leveraged if issues arise. Finally, regular communication with your vendors lets them know you are vested in a mutually successful relationship.
Having a successful framework for your third-party risk management program is important for vendor compliance. Download the eBook.