Vendor reputation risk has changed a lot over the last 10 years. This is largely attributed to the internet and social media, and the fact that terms like “trending” and “viral” have taken on a whole new meaning. When attempting to manage vendor reputation risk, we must acknowledge how vast and immediate its reach really is. A seemingly small issue could quickly transform into a big controversy if associated with the wrong hashtag.
Traditionally, vendor reputation risks have been centered around two primary factors: the vendor’s access to sensitive data or its interaction with your customers. However, the vendor’s products or services aren’t the only things that can pose reputation risk; it can simply be your association with them. In this blog, we’ll review three common areas of reputation risk and provide some best practices on how to manage them.
3 Common Areas of Reputation Risk
- Quality Standards: If your vendor is providing products or services on behalf of your organization, it’s critical that they adhere to your quality standards which should be clearly defined in your service level agreement (SLA). It’s important to remember that your customers won’t differentiate between your organization and your vendor. Any gaps in service or low-quality products provided by your vendor can therefore negatively impact your own reputation.
Here are a few questions to ask when assessing vendor quality:
- Does the vendor interact with your customers?
- Does the vendor have a policy in place to report any defects with their products or services?
- Are service expectations clearly defined in the contract through trackable and reportable SLAs?
- Does the vendor have an incident response plan in place that meets your standards?
- Has the vendor been subject to any regulatory or legal scrutiny?
- Cybersecurity Standards: It seems like there’s a new data breach reported every other day, many of which are caused by third parties. Not only do organizations need to protect themselves against data breaches, but they also need to manage the risk within their third-party vendor environment.
Consider the following questions:
- Does the vendor have access to any sensitive data?
- Has the vendor ever suffered a data breach in the past? If so, what was included in the notification and remediation process?
- What policies and programs does the vendor have to protect our data?
- What kind of testing is performed and how often?
- Are breach notification requirements clearly defined in the contract?
- Does the vendor have adequate system surveillance in place to detect unintended access or malicious activity?
- Ethical Standards: Not only are the traditional concerns always at play, like data breaches or public affiliations with discredited organizations, but social, political and environmental controls have recently been making headlines. Corporate social responsibility (CSR) and environmental, social and governance (ESG) concerns have increasingly become part of the third-party risk management conversation, as consumers are looking for a response to issues like modern slavery and climate change.
Here are just a few sample questions that can help you determine if your vendor’s ethics can put you at risk:
- Has the vendor established a formal ESG policy?
- Is the vendor associated with industries that are typically at higher risk for modern slavery or climate change such as manufacturing, consumer goods or energy?
- Does the vendor have any prior history of violating environmental or labor regulations?
- Has the vendor been associated with any negative news or questionable practices in the past?
Managing Vendor Reputation Risk
While vendors can bring a lot of value to an organization’s business strategy, they can also bring a lot of risk. To protect your organization’s reputation from your vendor’s actions or products and services, it’s important to properly manage and mitigate these risks.
Keep these practices in mind:
- Do thorough due diligence: Prevention is key when managing any type of risk, so it’s important to be thorough when performing due diligence. Make sure to identify any potential risks that can harm your reputation and analyze any trends that may be affecting your vendor.
- Perform ongoing monitoring: Monitoring your vendors on a continual basis is critical to identify and address any issues before they become larger problems. Consider setting up a simple Google News alert to stay informed of your vendor’s activities and the public’s opinion of them. If there are any service level commitments made, be sure there are processes in place to validate those expectations are being met.
- Establish a response strategy: In today’s digital environment, negative news can move like wildfire. It doesn’t take long before the public has formed an opinion, so you’ll need to establish an appropriate response strategy that quickly addresses an event that involves your vendor.
While vendor reputation risk is certainly important, remember that this is only one type of risk. Your organization should be actively managing all areas of vendor risk which in a way, can often lead back to your reputation. Reputation risk also overlaps with many of the other risk categories, such as cyber, regulatory, operational, etc. For this reason, vendor reputation risk can be difficult to measure and assess, but a comprehensive strategy that involves planning, monitoring and responding can set you up for success.