Vendor risk is one of the key problem areas of enterprise risk management. Among other things, outsourcing critical processes and systems containing confidential information makes the challenge of managing vendor risk and compliance even more difficult. According to Director of Cyber IT Risk Services Bryan Allison, businesses should focus on four key areas in order to protect themselves, their employees, the customers that are the core to their existence, and even the vendor. Read more about efficiently and effectively managing risks in vendor relationships in Bryan’s HORNE Cyber blog below.
In this busy, ever changing business world, management has so many things to worry about that some key business responsibilities often get overlooked. One key area that is front and center on a daily basis, but is often ignored by businesses of all sizes is the topic of vendor management. It’s hard to identify a business that doesn’t have some form of relationship with vendors. A vendor could be as simple as the person who brings the daily coffee to as complex as the offsite company that manages the servers on which key patient and financial data resides. Though the coffee guy may not have access to any information while on site that could harm the business, vendors that have access to key data for a business could see their names in the headlines if proper security protocols aren’t followed.
When managing their relationships with vendors, businesses should focus on the following four key areas in order to protect themselves, their employees, the customers that are the core to their existence, and even the vendor.
No. 1: Contract Development
When a business has chosen to enter into a contract with a new vendor that will provide a service, corporate lawyers are often brought in to lay out the specifications and requirements that must be followed by both parties involved. Often the contracts will detail the scope of services and product specifications, roles and responsibilities, compliance requirements, and service levels. It is imperative for lawyers or compliance personnel within a business to be familiar with current and on-the-horizon regulations that could impact the business and its relationship with their vendors.
With the government and regulatory agencies regularly adding new laws and regulations (e.g., HIPAA, FFIEC), this can be a daunting task. Through its resources, a business should identify if new laws/regulations could affect how they conduct business with their vendors. If changes are identified that could lead to a change in expectation for the vendor, business management should make an effort to revise the wording of contracts to spell out the changes and new contractual obligations for both parties. If changes are made to contracts, both parties should be required to discuss the changes to ensure understanding and agreement before the revised contract is signed.
No. 2: Vendor Risk Assessment
Businesses handle a variety of vendor relationships; some more complicated than others. Designated personnel should make an effort at least annually to review the vendors with whom they perform business. This review should help identify vendors that may be considered of high risk. High risk vendors may include those that handle sensitive documents/data (both physical and electronic), have physical access to key business locations, manage or monitor the security for key company applications, and analyze financial or customer data.
For those vendors identified as high risk, business management should look at the function performed by the vendor and determine whether proper controls are in place around that function and that they are being followed by both parties involved. Possible examples of controls could be as follows: application users are required to use unique user IDs and passwords to access applications where company data resides; if data is required to be electronically sent from the business to the vendor, secure transmission protocols are required to be used by both parties; sensitive company data is prohibited from being emailed outside of a business to the vendor unless email encryption is in place on the mail server.
Designated compliance personnel within the business or an outside party should review the controls in place for each vendor and test that they are operating effectively. Because of the size of some vendors (e.g., Microsoft, Google) and the multitude of requests to discuss the controls in place for the service function provided by the vendor, businesses should be aware that they may be provided an SSAE 16 report from the vendor. An SSAE 16 report details the controls that the vendor has in place around the designated function that the business uses.
A business should obtain the SSAE 16 report for each identified vendor on annual basis and review/test the controls identified in the ‘User Controls Considerations’ section of the report to ensure those controls are in place and being followed by their personnel. Upon finishing the test and review of the controls in place, business management is able to gauge whether any gaps/issues may need to be addressed with its controls or potentially the controls performed by the vendor.
No. 3: Vendor Financial Stability
When entering into a contract with a vendor, a business wants to perform its due diligence and make sure that the vendor is financially stable. Though this process likely occurs at the inception of a contract, the process of reviewing the vendor’s financial stability shouldn’t be a one-time affair. No business wants to enter into a contract with a financially struggling vendor and then have its service or product no longer offered or supported as a result of bankruptcy.
Business management should make an effort each year to request the relevant financial documentation from each contracted vendor. A thorough financial analysis should be performed for each contracted vendor and the analysis reviewed by responsible business management or a trusted and unbiased third party group/advisor. If the financial analysis indicates that the vendor is not financially stable or on a downward trajectory, business management may consider looking at alternative vendors to provide a key service or renegotiating the vendor contract to allow for better protection in the event the vendor was to fail.
No. 4: Compliance with Contract Terms
Vendor contracts are only worthwhile if they are read by the contracting business and the vendor is held to the contract terms. A business expects a vendor to respond to an issue or provide support within an allotted period of time, but how many businesses actually review the response time and the quality of support provided by the vendor? If a vendor’s application is required to have certain security built-in, how many of the contracted businesses using the application actually reviews the security parameters to ensure they are properly set up and operating as required?
These questions may seem basic, but businesses should perform an analysis of the vendor contract terms at least annually to determine if they are being properly met. If the contract terms are not being met by the vendor, business management can use this as support for ending a contract or for renegotiating the price or terms of the vendor contract. Just remember, a business is paying the vendor quite a bit of money for a product or service and the vendor should be making every effort to exceed the contract terms and keep the business happy.
Just like any relationship, it takes two to tango. Businesses and vendors mutually benefit when they work together and look to exceed each other’s expectations. Vendor management is a process that a business should continue to focus on in order to protect itself and to ensure continued high levels of service from its vendors.
For weekly insights into enterprise complexity, please sign up here: