Best Practices in Managing Vendor Risk

In today’s interconnected business environment, knowing your business partners and vendors is critical to maintaining the trust and confidence of your customers and stakeholders. Globalization has created a dependency on critical activities outsourced to an increasing number of partners and vendors. Having this dependency on third parties increases your company’s vendor-related risk.

Reliance on third parties is substantial and continues to gain momentum; therefore, vendor management has increasingly become an important organizational discipline and practice in maturing enterprise-wide resiliency. Outsourcing has its benefits, such as heightened efficiency and the ability to focus on core business objectives. However, if vendors lack strong safeguards. controls, and restrictions, the organization could be exposed to operational, regulatory, financial, or reputational risk.

A good vendor risk management strategy should include:

  • Strong contract management, ideally with an integrated system by which contracts are stored and managed with clearly outlined service level agreements defining the business relationships between the organization and the third-party
  • Ongoing vendor reviews to ensure vendors meet all regulatory compliance within the industry and have a scalable system in place that can monitor this compliance at an appropriate cadence
  • Clear guidelines pertaining to access and control of sensitive information as per the vendor agreement
  • Performance metrics that are periodically monitored and analyzed to ensure the quality of service is meeting contractual agreements
  • Up-to-date vendor profiles on a regular basis
  • Annual vendor risk assessments on all mission essential vendors
  • Vendor testing, communication, and crisis management plans as necessary

Even more so, identifying vendor relationship manager on the business side that act as a liaison between the vendor, the business. and the risk management team is also a recommended best practice, but isn’t always feasible. This person typically owns the vendor relationship in terms of services they provide and their ongoing performance and compliance. The relationship manager is in charge of reporting issues when the vendor fails or underperforms and is responsible for working with the vendor to complete any outstanding assessments or attestation to company policy, code of conduct, etc.

No matter the industry, it is increasingly becoming more and more important to effectively manage and monitor the risk exposures resulting from third-party suppliers. And, making sure you have the data needed to do so is key to successful vender management. The Fusion Framework System provides a centralized repository of all vendors and suppliers in one secure system, giving you all of the information you need in one place.

3 Phases of a Robust Vendor Risk Management Program

Making Vendor Risk Management a Reality

Where does vendor risk management fit into your program? The answer: everywhere.

This is not an overstatement. As a professional, the scope of your role is continuously evolving. In addition to satisfying compliance and audit requirements and addressing general risk, your program incorporates dynamic plans to address your facilities and workplaces, safety and security, your supply chain, the workforce, and all the technology that keeps your business running. It is likely that many (if not all) of these areas rely upon external vendors in whole or in part. Vendor risk management is therefore not a standalone activity that can be addressed in isolation, but a holistic concern that affects your entire organization.

The degree to which organizations can be impacted by a vendor failure has been more than demonstrated in recent news headlines. For example, in February 2018, over 600 Kentucky Fried Chicken (KFC) stores in the United Kingdom closed for most of the week because of issues with the logistics firm DHL. With no chicken to serve customers, KFC lost sales in excess of £1M per day. And in May 2018, the auto parts supplier Meridian Magnesium had a fire. As they were a sole source supplier for Ford Motor Company, production of F-150 trucks came to a halt, thousands of workers were laid off, and $60M per day in revenue was lost until production could be restarted.

To avoid seeing your company’s name in the headlines because of a vendor failure, it is important to have a firm grasp on the breadth and depth of vendor risk management. You can then be confident that you are delivering maximum value for your enterprise and your customers.