Manage Large Vendors Successfully in Your Third-Party Risk Management Program

Podcast Transcript

Hi, my name is Hilary with Venminder

As you probably know, not all vendors are created equal, and sometimes the larger the vendor is, the more challenging it can be to manage. In this podcast, we'll discuss some of those challenges and offer some practical strategies for overcoming them.

At Venminder, we have a team of certified industry experts who help organizations of all sizes manage third-party risk effectively.

In today's business world, partnering with large, well-known vendors is often necessary for organizations of all sizes. Whether it's a leading cloud services organization, a national bank, or a technology corporation, these large vendors are trusted to deliver high-risk products and services

But size and reputation don’t guarantee seamless transactions.

Just because a company is well-known, it isn't necessarily immune to cyberattacks, financial troubles, or even legal violations. The truth is that it can be difficult to manage large vendors, especially when it comes to gathering information and conducting due diligence, contract negotiations, and monitoring them.

So, let's discuss some of these challenges and present some strategies to help even the smallest organizations vet and manage large vendors. There are many common challenges with managing large vendors: 

• One is that there’s no mutual non-disclosure agreement (NDA). Big corporations typically don't offer mutual non-disclosure agreements beyond limited language in purchase agreements. If a company does include an NDA, it may be one-sided and only restricts your organization from sharing data or disclosing information.
• There are also no contract negotiations. Standard purchasing agreements are typically offered and are often non-negotiable. These agreements may not give your organization important rights like the ability to perform an audit.
• And lastly, there probably won’t be due diligence participation. It can be daunting for large vendors to respond to every due diligence request, given the sheer volume of their customer base. Don't be surprised if they ignore your request to complete vendor risk questionnaires or supply documentation, even if there is significant pressure to do so. However, this doesn’t mean these companies are unaware of or unconcerned about critical aspects such as cybersecurity, privacy, business continuity, or regulatory requirements. Indeed, many of these large vendors have robust controls and procedures in place to safeguard their valued customers. Nonetheless, it can be challenging for customers to fully identify and authenticate these measures.

So, how can you address these challenges?

If a large vendor declines due diligence, contact your sales rep or customer service to ask these questions:

1. First, do they provide standardized due diligence information, policies, certifications, or reports on their website?
2. Second, do they have a completed Consensus Assessments Initiative Questionnaire or Shared Assessments Standardized Information Gathering Questionnaire? These questionnaires address risk domains and could answer some of your most important questions. 
   

If there is a customer website where you can access policies and other relevant information, you may need to request access or get a password.

If you don't get a response, document your efforts and investigate proactively with these three methods:

• First, search the internet or the company website using key terms such as "privacy policy" or "SOC 2 Report." Many large vendors include due diligence documentation and information on their websites.
• Second, research the large vendor online, carefully examining negative news, litigation, or excessive customer complaints.
• And third, obtain a vendor monitoring service report to investigate the company's security posture, reputation, financials, or negative news. Several organizations provide these services, and the data they offer can be quite comprehensive.

When dealing with due diligence challenges, it can be difficult to determine how much information is sufficient. However, it is essential for your organization to ultimately consider the level of risk and decide whether or not to proceed.

Remember that when risk levels are elevated, senior management should approve and accept the risk. 

If you choose to proceed, remember to continuously monitor those large vendors, keeping an eye on their performance and risk profile. If the large vendor is critical or high risk, you should complete a risk reassessment annually.

In conclusion, your organization must prioritize responsible vetting and managing of vendors, regardless of their size or complexity. Be sure to document each step of the process. Regardless of the methods you use to assess the vendor's controls, risk level, or performance, you should be able to demonstrate your decision-making process and defend your decision to use or not use the vendor.

Thanks for tuning in; catch you next time!