Is Your Vendor Causing Madness?

Problem vendors are a real thing, and in third-party risk management, you’re bound to run into more than a few. When it comes down to it, choosing a vendor is almost like selecting your favorite sports team or the team you expect to win a major tournament. You’re carefully evaluating the stats – their due diligence – seeking input from others – reviewing their reputation – and more. It really is a calculated process. 

March Madness begins soon. If you’re not completely familiar, these are single-elimination men’s and women’s basketball tournaments held by the National Collegiate Athletic Association (NCAA). There are 68 teams to begin, but eventually, you get to the Final Four. These are the top four teams left in the tournament and competing for the number one spot. To make the sporting events even more fun, fans participate in bracket pools in which they predict the teams they think are going to advance after each game.

Dribbling back into vendor management… vendor management can actually be a lot like March Madness. Your team is reviewing a handful or vendors or more, selecting their favorites, watching their performance as they compete for your business and then, ultimately, learning who the winner should be. The winner is the vendor you feel confident about and have chosen to move forward.

Unfortunately, just like sports teams, vendors sometimes have bad seasons where they just don’t seem to be holding up to the high standard they once were. Their game is off. Have you ever experienced this?

Before you let your vendors drive you completely mad, consider an issue management approach. 

This is the process of identifying, managing and tracking issues with vendors and attempting to fix them through a collaborative and centralized process. While we don’t suggest this will magically make everything easy, you may be pleasantly surprised to find a change in response when you switch your tactic from “this is your problem, you need to fix it” to “this is our problem, so how can we fix it.” Really, it’s all about teamwork.

How to Identify Vendor Issues 

While issues big and small tend to arise throughout all stages of the lifecycle, a best practice would be to make a list and manage each issue to resolution. The first step in this process would be to identify the issue at hand.

Some of the most common vendor issues include:

• Security problems
• Poor communication (e.g., not providing notice around key management departures)
• Failure or resistance to provide due diligence
• Failure to meet SLAs (e.g., not reporting a data breach in a timely manner)
• Weakness in the control environment (e.g., poorly implemented or lack of effectiveness)

4 Best Practices for Managing Vendor Madness 

Once you’ve properly identified the issue, you’re better positioned to manage it, so before you resign yourself to the deep end completely, consider the following vendor issue management best practices:

1. Communication is key.

First and foremost, the vendor needs to know when issues arise. If you haven’t yet alerted them of problem areas, start there. Others out there may be thinking… “but I have: I’ve been calling, emailing, texting… what else can I do?!” The solution could be as simple as streamlining your communication methods or adopting a communication stream that allows everyone (lines of business, stakeholders, risk managers) to share, update and check in via one channel. Some vendors truly have bad attitudes while others are simply disorganized. While both can be frustrating, keeping the lines of communication open on your end and asking questions can help you identify roadblocks, and find a workable solution, faster.

2. Document everything.

It’s important to keep detailed records of communications and documentation in one, centralized location. Anything associated with that vendor and the specific issue should be included. Trust us, you’ll thank yourself later! This will be important should you need to escalate the issue at hand.

Throughout the issue management process, you may find you need backup. This is where that communication log you’ve been meticulously keeping is really going to come in handy. Every organization will have a different threshold of when “enough is enough,” but if you have a repeat offender on your hands it may be time to lean on the board and/or senior management to review.

3. Lend a hand.

While we all wish for vendors who are proactive and improvement-driven, from time-to-time (especially in issue management) it’s us who needs to take charge. For vendors who are having trouble meeting expectations, have the vendor owner(s) reach out to ask how your organization may be able to implement compensating controls. Perhaps they need more clarity around expectations or are having issues with your vendor management platform. You may even consider asking for feedback. On occasion we may have blind spots to our own internal inconsistencies that could be negatively affecting our vendors’ performance.

4. When in doubt, back out.

Unfortunately, sometimes our vendor relationships become unworkable — no harm, no foul. It may just mean it’s time to start seeking a new vendor and filling out your “bracket” again with the top contenders that you feel are worth evaluating and have a high likelihood of advancing. Hopefully you have a well-established exit strategy and have vetted your vendor’s exit strategy as well.

Don’t let your vendors shoot constant airballs and cause madness. By getting ahead of vendor issues and taking a team-oriented approach, you may find you’re not only able to protect your personal sanity, but you’re also better positioned to protect your organization and your customers too… and, in the end, that’s what this game is really all about!

Do you know if your vendor management program adequate? Download this eBook to help.