Prospects increasingly demand assurances about an organization’s security stance, as well as that of their vendors. Businesses are now called upon to evaluate the criticality of a vendor, the services provided by each, and the access they have to sensitive data. With new security threats and compliance requirements appearing at a breakneck rate, companies can no longer hope for the best. Instead, they adopt vendor management best practices to confirm that vendors are protecting their digital assets.
This heightened security focus on vendor management is a driving reason behind the adoption of SOC 2 principles and a sharper focus on risk. Prospects and customers send organizations security questionnaires for assurances about security measures and due diligence needs to roll downhill. Vendor management best practices involve assessing and mitigating risk associated with both new and current vendors. Categories of vendor risk include cybersecurity risk, financial risk, compliance risk, and reputational risk. A sound vendor management program thoroughly and accurately assesses the importance of services provided to the organization and the level of risk they present to the business.
Accurately and efficiently assessing vendor risk requires more than just writing policies. Organizations too often adopt a more-is-better approach to dealing with risk. They end up with unnecessary policies that in turn lead to unnecessary work, confusion, and a less effective overall vendor management program. Focus instead on policies pertaining to physical/logical access control, change management, and information security. These policies represent the foundation of vendor management best practices, are essential for the organization, and can be necessary to provide customers with transparency as part of a vendor management program.
You will need other policies and procedures. A comprehensive risk assessment reveals what else to include. A risk assessment is a quantitative and qualitative process that identifies threats or vulnerabilities and calculates the amount of risk they present to the organization. A well-executed risk assessment removes the guesswork and creates a roadmap for additional policies or procedures that are truly relevant to your organization. This process avoids the “everything including the kitchen sink” approach that slows operations and confuses vendors.
Controls are the tools used to ensure risk is managed in accordance with the policies an organization creates. A control is an activity-based statement providing instructions on how to mitigate or minimize the risk associated with a vendor. These controls represent the result of adhering to best practices within the business’s vendor management program.
The following 12 vendor management best practices can help an organization identify, implement, and assign responsibility for controls needed to manage risk.
The C suite must embrace the fact that vendor management is vital to customer acquisition and retention, and not just a compliance hoop to jump through. It’s critical to have buy-in from senior management (and the board, when applicable) for the program to deliver the type of measurable value it’s capable of.
More isn’t necessarily better when it comes to policies and bigger isn’t better with regard to a vendor management program. On the other hand, effective policies and controls won’t write themselves. Put the right person in charge and give the program the resources, systems, and training so they can manage vendors effectively. Provide the team with technology solutions that empower them to be responsive at all times while never losing focus on the company’s most critical or riskiest vendors.
Vendor management can get complex because these relationships rarely involve single points of contact within each organization. The individual overseeing the day-to-day relationship is tasked with getting value from the vendor, not enforcing compliance or maintaining the integrity of cybersecurity. The team needs to feel confident. Give stakeholders clear role and responsibility guidance. Prioritize reporting to create transparency that helps the team stay informed and working cohesively.
Many organizations try and fail to run a vendor management program using incomplete and disparate data. Vendor data can exist everywhere from shared folders to paper documents in file cabinets. Organizations need data management systems capable of collecting and managing disparate, even unstructured data—storing it in a centralized database to make accessing and reporting easier.
Different types of vendors carry with them different types of risk. The vendor risk tiers and categories are core components of any vendor management program. These illustrate where the risks are with every vendor relationship—making it easier to align due diligence activities commensurate with the risk level.
Organizations should document and understand vendor technology infrastructure. Do their systems function solely in the cloud, on-premise, or in a hybrid architecture? What type or severity of outage could compromise their services and create issues for customers? It’s vital for companies to have visibility into the geographic nature of risk, so they may better plan for what to do if an issue arises.
Due diligence is the key to successful vendor management. The deep dive into vendor systems and processes helps organizations to better understand risk exposure and implement appropriate policies and controls. With increased risk comes more in-depth due diligence.
Organizations who need assurances from vendors about security measures should get it in writing. The contract with the vendor is the first and only opportunity to legally document the business terms to which both parties agree.
Management of service agreements is often an inconsistent process in many organizations. This can result in unnecessary risk, so vendor management programs should insist on and provide a standard, consistent contracting process that ensures necessary risk-mitigating measures are incorporated into the work agreement.
Personnel charged with providing or overseeing services have likely not read the contract. After vendor selection and execution of contracts. Close the loop with them. They will be the key to making the agreements come to pass. Communicate and document expectations during the onboarding process.
Both company and vendor should be held accountable throughout the life of a contract. A solid vendor management program focuses on performance standards that are routinely monitored by both parties. Key performance indicators (KPIs) should be established to maintain transparency, make it easy to onboard new stakeholders in either organization and create a more efficient and less resource-intensive auditing process.
Vendor management is about more than policies and controls and contracts. A sound vendor management program will also emphasize soft skills needed to encourage collaboration and shared responsibility.
When an organization parts ways with a vendor, it’s important to use a formal process, just as onboarding does. Don’t leave stakeholders guessing about how to migrate away from a given service. Document process and controls for everything from transfer of assets to data migration or destruction of confidential information.