Vendor Oversight Is All About Risk Management

For decades, organizations have been evaluating, selecting, contracting, partnering, and un-partnering with third-party vendors as a normal course of business. Managing the risks that come with these vendor relationships requires constant vendor oversight throughout the engagement.  

Most risk professionals are familiar with the basic risk management process – identify, assess, mitigate, and monitor. Apply those same principles to vendor relationships and you have a good start to a vendor risk oversight program, also known as a vendor risk management (VRM) program. Vendor risks require proper identification and oversight to ensure vendor relationships remain safe and sound. 

In this blog, we’ll walk through several key activities for vendor oversight management, including risk identification, due diligence, contracting, and ongoing monitoring.  

Identifying Risks for Proper Vendor Oversight 

Like any other business activity, there are always risks to consider when outsourcing products and services to third-party vendors. Vendor risks include: 

• Operational – The vendor would have a negative impact on your organization if its internal processes, people, controls, or systems failed or were ineffective.  
• Strategic – The vendor’s decisions and actions are incompatible with your organization’s strategic objectives. 
• Financial – This relates to the vendor’s financial condition and its inability to meet contractual obligations to provide products and services to your organization.  
• Compliance and regulatory – The vendor doesn’t follow your internal policies or fails to comply with laws and regulations that govern your products and services.  
• Information security – This encompasses both cyber and physical security risk. This risk occurs when the vendor fails to protect your information because of missing or ineffective controls. 
• Business continuity – An outside event like a natural disaster or cybersecurity incident could prevent a vendor from conducting business and servicing your organization.  
• Reputation – Your organization’s reputation, brand, or name can be damaged by a vendor’s actions such as poor service, outages, data breaches, or lawsuits. 
• Concentration – One vendor provides many of your critical or high-risk products or services. Concentration risk can also occur with a single point of failure (SPOF) vendor, in which there’s no alternatives in the market, or when many of your critical and high-risk vendors are in the same geographic area.  

Your vendor may also present other types of risks, like geopolitical or environmental, social, and governance (ESG) risks. An inherent risk assessment can help organizations identify the types and amounts of risks present in the vendor’s product or services. This will also help determine if the third-party vendor is critical to your operations. Identifying both the risk and criticality of product or service and relationship prepares your organization for both risk-based due diligence and the future oversight of the relationship. 

Due Diligence in the Vendor Oversight Process 

Due diligence is the process of thoroughly vetting your third-party vendor before entering into a business relationship and is part of effective vendor oversight. Due diligence involves the collection of information and documentation detailing the vendor’s risk management practices. It also requires a review conducted by a subject matter expert (SME) to validate the effectiveness of the vendor’s controls.  

At a minimum, a review of basic information, such as tax ID, an OFAC check, and financial health, is necessary. Because due diligence is a risk-based process, you may also need to collect and review SOC reports, information security policies, business continuity and disaster recovery plans, and more for critical vendors and those with elevated risk. It's also important to evaluate the vendor relationship in a broader context. You may be familiar with the value of the product or service but think about the wider implications of partnering with this vendor.   

Here are some questions to consider during vendor due diligence: 

• Is this vendor a new entity in the business/industry/service area? 
• Does the vendor provide a specialized product or service that’s unavailable elsewhere in the market?
• What are the impacts to your business and customers if the vendor is not able to deliver as promised? 
• What is the ownership structure of the business, and are they reputable?  

If your resources are limited and you are unable to perform proper due diligence and risk mitigation, you may want to consider the help of experienced professionals to guide you through or perform components of these processes. A professional vendor risk management platform will have the tools and experience to work through these processes, such as collecting and reviewing vendor documentation. This approach ensures essential activities are taking place and that your internal resources and bandwidth are allocated effectively.  

Negotiating the Vendor Contract 

The contract with the vendor is a key risk mitigation and vendor oversight tool. Before a contract is signed it should be thoroughly reviewed to make sure contractual provisions are included to help your organization manage risk throughout the vendor engagement. 

At a minimum, your critical and high-risk vendor contract agreements should include: 

• Service level agreements for performance 
• Defined term and end-of-term responsibilities 
• Ownership and access to your data and information 
• Confidentiality, privacy, and data security 
• Disaster recovery and business continuity 
• Deconversion terms, requirements, and costs 
• Implementation milestones 
• Early termination conditions, costs, and responsibilities 
• Data breach notification requirements 
• The right to audit and review 

Vendor Oversight and Monitoring

Once your new vendor is fully onboarded, you’ll want to continue with ongoing oversight and monitoring to make sure that the terms of your contract are met, and the product or service continues to meet your needs. Build your ongoing oversight strategy from the inherent risk assessment and due diligence done prior to the execution of the agreement. Ongoing activities such as risk re-assessments, periodic due diligence, and risk and performance monitoring should align with the vendor’s level of risk. Critical and high-risk vendors will receive the most scrutiny and oversight so any issues or significant changes can be immediately identified and addressed.  

Make sure there's a designated vendor owner assigned to the vendor relationship. The vendor owner will be responsible for identifying new and emerging risks, monitoring risk and performance, documenting any issues, holding regular meetings with the vendor, and regularly reporting to senior management. These activities should continue throughout the duration of the contract term. And remember to be mindful of the contract renewal period so you’re not rushing into poor terms or unexpected price increases. Plan to evaluate your vendor relationship well ahead of expiration so that you leave time to negotiate new terms or carry out your exit strategy, if necessary. 

Vendor oversight will remain a crucial component for every vendor risk management program, especially as organizations continue to rely on vendors for critical business functions. Identifying and managing vendor risks will support your overall risk management strategy and help develop safer vendor relationships.