In most industries, we look to vendors as trusted partners for many aspects of our supply chain. From your landscaping company to an organization entrusted with highly sensitive, confidential and/or regulated data or system components, it is important to always have full insight regarding your business partners.
As noted in the 2021 Prevalent Third-Party Risk Management Study and compounded by the growing number of recent Third-Party data breaches, third-party service provider (TSP) risk management has become a mandatory part of any organization’s risk management framework, but only 40% of respondents to that study survey said their Third-Party Risk Management (TPRM) programs are expanding based on these concerns. This level of risk management is gaining increased visibility and is a common topic among executives and Boards of Directors.
With the tremendous need to ensure that introducing new TSPs does not introduce unnecessary and unknown risks, FoxPointe Solutions is providing the following three-part series to help organizations build or mature their required TSP risk management practices through the entire lifecycle, from inception until off-boarding.
Third Party Vendor Onboarding
Vendor onboarding is the first step in the third party risk management program and starts with the collection of the information needed to approve the selection of a given supplier. By having a strong onboarding process, you can have insight into and avoid many risks upfront, not to mention that it will help with increased efficiency and reducing the amount of time needed to approve and activate new vendors.
New TSP selections and continuing to utilize the services of existing third party service providers is dependent not only on the service or product you are looking to obtain, but also based on the past performance and new expectations surrounding the assurances that a TSP can give you in areas such as meeting past service level agreements/contracts, existing and ongoing technical expertise, control effectiveness, operating efficacy, and financial condition, to name a few. Including the following steps needed in your third party risk management program will help ensure that your organization is off to a strong start:
Create a Documented Program: Establishing policies and procedures that govern the vendor management program is critical, including needed evaluations, checklists, registrations, due diligence, approvals, etc. This will help streamline your process, reduce confusion, and increase consistency, avoiding concerns later.
Buy-In: Obtaining buy-in from top executives and/or the Board from the beginning will help ensure that your efforts are not wasted and that the rest of the organization will be more easily introduced to the new relationship within the business processes.
Key Players: Communication is key. It is best to have someone who can verify each item on your checklist and ensure that all steps were covered. After onboarding, it is nice to have a vendor owner/manager and many organizations have a vendor management director who will ensure a centrally managed program.
Set Expectations: While each vendor will vary, your organization will have common requirements or areas you will want to review as part of the evaluation. This includes topics related to financials, regulatory compliance, track-records, service levels, payment/cost, training, cybersecurity, and other specific terms, conditions, and requirements. Communicate with the TSP by having a set list of must-haves and like-to-haves that you are looking for as you are going through the selection process.
Invest: Outsourcing can help you gain expertise and efficiency. In order to do the same when you manage such relationships, you may want to invest in personnel and technology to drive the program.
Third Party Vendor Contracts
Once you have completed your review or search and have selected to engage a new vendor or continue an existing vendor relationship, a contract or service agreement needs to be established. This will govern the relationship between the two parties and the supplies or services being exchanged for payment. While no two may be the same across vendors or industries, contracts should be reviewed and negotiated until the conditions and details are acceptable and agreed to by both parties, and they should include some basic elements that can be measured.
(Please note that this is not an all-encompassing list and is provided as general information. Each specific contract should be reviewed by each organization to meet its specific needs and requirements.)
Scope: One of the most important things in the document will be the scope of the services or the product(s) being supplied and the conditions and controls for delivery. Whether you are being delivered goods as part of your supply chain or depending on a service provider to keep your hosted systems up and running, you will want to be sure that the scope and related requirements are clear and detailed.
Standards: Contracts need to include performance and service level standards. For example, contracts should define events that constitute contractual default or the inability to meet provisions, such as measured service level agreements or business continuity/return to operation requirements. A list of your acceptable remedies and opportunities for curing a default should be considered in addition to any possible claw-back (return of funds for non-performance) clauses.
Third party vendor contracts will include price and how payments will be arranged, but you should make sure that they likewise have the needed detail regarding how you may terminate a contract, when the contract is complete, or under which circumstances a contract may be voided and any agreed to penalties for early contract termination.
Additionally, documentation is king! When reviewing a proposed contract, or reviewing an existing TSP agreement, you should consider, among other things, the documented areas surrounding how the TSP will maintain the needed security, privacy, and compliance controls based on what your requirements are. On top of that, your ability to confirm the TSP’s regulatory compliance, obtain audit results, or perform your own audit may be mandatory depending on the data security and privacy regulations that affect your business. We will be sharing additional stipulations that you may want to include in the contract terms in Part 3 of our series.
Now that you have selected a vendor and want to establish a new partnership (or continue a current one), what’s next? When you outsource a function of the business, it does not mean that you have outsourced the risk or responsibility for security and privacy. Make sure you are reducing risk and protecting your organization with basic vendor management protocols by reading our upcoming Part 2 “Basics of Third-Risk Assessments and Risk Rankings” and Part 3 “Ongoing Vendor Monitoring” for more information.
Don’t have the resources internally to perform the needed vendor management processes? For more information on where we may help establish, augment, or manage vendor processes, please contact Jill Martucci at firstname.lastname@example.org .