Michelle Middendorf, workers’ compensation manager at Stanley Steemer, shares vendor risk management best practices and tips for success.
If you rely heavily on third party vendors, you know the importance of making sure their business and risk management practices align with those at your organization. You also know it’s no easy feat.
Third-party vendors can provide tremendous value to organizations. For example, organizations often rely on vendors to handle IT issues they may not have the internal resources to take care of on their own. However, becoming dependent on third-party vendors also has its risks, and forward-thinking executives use vendor management technology and other risk management techniques to mitigate their exposure.
To continue this example, when an organization relies on a third-party vendor for IT services, it usually requires turning over sensitive information. There is inherent risk when trusting a third-party vendor with access to your data. Organizations can, and should, reduce the risk attached with doing business with third-party vendors by following the tips below.
Tips of the Trade
If vendor management is a pain point for your organization, here are eight tips for successfully managing vendors, and how risk and insurance technology can help:
1. Know your vendors
Ensure your list of active vendors is up-to-date and comprehensive, including accurate profiles highlighting what they do, and any potential risks and insurance requirements that might accompany their business models. Because our risk management information system is cloud-based, we were able to set up an online vendor management portal that vendors can easily and securely access without additional license fees. The portal contains the most up-to-date and accurate background data — input directly by the vendors themselves, or automatically updated by the application itself.
2. Assess your vendors
Knowing your vendors, their businesses and their inherent risks will require some due diligence. Provide vendors with questionnaires that assess their operational protocols when it comes to issues that might affect your organization. Aim for simple and objective questions that elicit complete, but not cumbersome, responses. To achieve this electronically, we established metrics and “conditional logic” (or “if this, then that”) questions that are now housed in our risk management information system. A link to the questionnaire is automatically emailed to any potential vendor flagged as needing to be assessed. We can even flex the system if we desire to automatically approve vendors based on their responses. All this functionality has sped up the entire vendor assessment process and improved the quality of survey responses because vendors are no longer burdened with answering duplicative or irrelevant questions.
3. Don’t forget the details
When it comes to vendor assessments, approvals, agreements and certificates of insurance, the devil is the details. Have an organized system in place to keep tabs on the status of all these items. Make sure all documentation is compliant with appropriate signatures and documentation. Thanks to our online vendor portal, we’re no longer drowning in vendor management details. Vendor data and relevant documentation can now be stored and updated in a single environment by multiple stakeholders — without version or status confusion. Our system’s ability to trigger automatic vendor communications cut down on manually chasing data. Finally, preparing, sending and getting contracts signed electronically from within our system has accelerated workflows and reduced legal risks.
4. Implement sound policies and due diligence
These policies and processes should regulate all vendor-related matters. Work with vendors to find and then appropriately address gaps in security. Additionally, using vendor risk management technology that can create controls and store policies for vendors helps automate various compliance checks and activities. Clients can then more easily administer vendor training and attestation for new policies.
5. Assess risks posed by shared infrastructure
Risk management technology providers that connect seamlessly with the Unified Compliance Framework, like Riskonnect does, offer ready-made compliance templates and risk assessment questionnaires that greatly facilitate this process. Having a user-friendly vendor management system to actively monitor and regularly audit your vendor’s performance and security is of great importance.
6. Train staff and vendors in proper security practices
For example, educate staff in anti-bribery practices and require that vendors also go through stringent, ongoing compliance training. This practice helps provide assurance that everyone is on the same page about new regulations and requirements.
7. Implement strong incident detection & response systems
Service provider risk is not a one-time threat or possibility so simply having these capabilities is not enough. You must then test them on a regular basis in order to confirm the sophistication of the system is evolving to meet the ongoing evolution of the ways organizations are being attacked.
8. Invest in the right risk management tool
Having a single, integrated system that allows you to monitor, manage and mitigate all vendor risks, including the tasks mentioned above is essential. It greatly reduces the probability of errors and it’s no secret that the cost of a breach is too high to avoid this vital business practice.
Why Great Vendor Management Matters
Converting to an electronic vendor management process ended up being transformative for Stanley Steemer: It allowed us to shift from primarily focusing on residential business to more aggressively pursuing certain commercial lines of business — a priority that had been cumbersome, but is now streamlined because we have adequate resources to appropriately manage our vendors. Read more about their success here.
Don’t let the many details associated with vendor management hamstring your organization. Take steps to streamline your vendor management processes, and you’ll quickly realize the value goes far beyond controlling the madness.