Third Party Vendor Management: What You Need to Know

When you’re doing business with third parties, you may be exposing your organization to financial, operational, and reputational risks. While third-party suppliers may be necessary to run your business efficiently, you need to take proactive steps to mitigate risks. This is where vendor management and assessment programs come in.

What is Vendor Management?

Vendor management is more than just doing the due diligence to select the right third-party suppliers and vendors for your business. Besides selecting vendors and negotiating contracts, appropriate management includes cost control, reducing security risk, and ensuring service delivery.

Vendor management can span a variety of industries from cloud services and IT to marketing companies and outside consultants. Anyone you contract with to do business with your company that’s outside of your employees can be considered a vendor.

Why is Vendor Management Important?

A formal vendor management process is important when it comes to selecting the right vendor for your organizational needs.

Without controls, vendor costs can quickly grow. You may get locked into long-term contracts that outlive their usefulness. Vendors may not deliver what they promise. You may not have a mechanism to assess vendor performance or deal with vendor exception handling. These are just a few things that can happen.

A robust vendor management program will include:
  • Vendor selection and termination guideline development
  • Vendor risk assessment and compliance
  • Contract negotiation strategies
  • Vendor onboarding
  • Establishing communication protocols
  • Vendor performance assessment
  • Monitoring risk
  • Vendor exception handling

The right vendor management strategy will keep all vendor information and activities on one platform to make it easy to manage your entire process. A centralized view can help ensure you are getting full value from your vendors.

Vendor Selection and Termination Guidelines

The first step in any vendor assessment should be to define and analyze your business requirements. When selecting a third-party service, you need to articulate the technical and business requirements and identify use cases.

This information will be used to craft your RFP for third-party vendors that are under consideration.

For example, you will want to know if a vendor:
  • Meets your current security requirements
  • Has a current SOC report
  • Has experience with similar projects in your industry
  • Is listed on the Gartner Magic Quadrant report

You should develop company-wide guidelines that govern all service agreements to ensure consistency wherever possible. These can help you navigate contract negotiations as you set standards for what is acceptable and under what terms you can terminate agreements.

For example, you will want to examine items such as:
  • What remedies do you have if a company fails to deliver what it promises?
  • Can you terminate an agreement at any time (convenience) or are you locked in for a set term?
  • What notices, delays, or penalties are involved in termination?
  • What clauses survive after termination?
Vendor Risk Assessment and Compliance

Besides evaluating a vendor’s benefits, it is also important to do a risk assessment. It’s crucial to identify the risks and hazards associated with the third party’s products — especially if they are handling critical business functions, accessing sensitive data, or interacting with your customers.

When you are contracting with a third party, you give them access to your data and, in many cases, your network. You need to make sure they comply with the safety and security protocols you require to safeguard your data.

Any risk assessment should ensure providers can meet yourcompliance regulations. While you may (and should) have your own guidelines on what vendors need to do to comply with your business practices, you also need to make sure they can meet industry and government compliance regulations. The list can be long, especially for publicly traded companies, including:

  • SOC 1
  • SOC 2
  • SOC 3
  • FedRamp
  • GLBA
  • GDPR

As more states pass privacy and data handling laws, this list will continue to grow. Companies need to ensure compliance from third-party suppliers, including a risk assessment, ongoing monitoring, and audits as part of your Governance, Risk, and Compliance (GRC).

Contract Term Negotiation Strategies

What you learn as part of your evaluation of third-party vendors, including risk analysis and compliance assessment, will help guide you in your contract term negotiation strategies.

Key items to evaluate in defining a contract include:
  • Handling of proprietary and confidential information, including ownership of materials, work products, and attendant rights
  • Pricing and payment terms
  • Changes in scope or deliverables, including built-in approval processes and authority
  • Remedies for non-compliance, including terms and rights for termination
  • Disclaimers and indemnifications, including liability, liability caps, and aggregate losses

These are just a few of the many terms you will need to define, including audit rights, exception handling, and communication protocols.

Vendor Onboarding
Your vendor management strategy should also include the onboarding process. This includes gathering the necessary documents to set a vendor up in your accounting system as an approved supplier. It also includes any other contract, licensing, or payment information that is required to fulfill the agreement.

Establishing Communication Protocols

A critical, but often overlooked area, is establishing communication protocols. Protocols apply in two distinct ways:  communication with your networks and systems and communication with your vendors.

Your IT communication protocols will determine how the third-party vendor will interact with your data and network. It governs what connections can be made, how the connections are made, and what access rights are granted.

Protocols should also be specified for communication with your suppliers, especially in case of emergencies or mission-critical problems. This process should include support levels, after-hours contacts, and mean time to respond (MTTR).

Vendor Performance Assessment

The vendor management process should also provide regular monitoring of performance. Depending on the company and the product, monitoring can vary greatly but should focus on the key performance indicators (KPIs) outlined in the agreement.

Monitoring Risk

Failing to comply with regulations and requirements can cause a myriad of problems, including significant exposure to data and fines for non-compliance.

Hacks, data theft, breaches, and mistakes have cost companies more than a billion dollars over the past few years. The average cost of a data breach is $3.86 million according to the Cost of a Data Breach Report 2020 from IBM.

Ongoing risk monitoring is essential to ensure vendors are employing appropriate security protocols and they are functioning as designed.

Vendor Exception Handling

When a vendor does not meet the standards or protocols they’ve agreed to and requests an exception, you must decide how to respond. Security frameworks can be complex, and exceptions can happen more frequently than you might think.

You need a defined process for identifying, notifying, and handling vendor exceptions. This process should include:
  • The key stakeholders that are involved in managing exceptions
  • Roles and responsibilities to manage communication and decision-making
  • Timelines for reporting and remediating exceptions
  • Dealing with exceptions that cannot be resolved
  • Your risk management strategy should define how all exceptions will be handled.
Written by
Adam Fowler,
Design Compliance and Security, LLC
Design Compliance and Security, LLC is AARC-360’s Strategic Business Partner who teams up with us to help serve our clients on various SOC Examinations.