Managing your vendors can be a time-consuming process. Some larger organizations employ FTEs dedicated solely to vendor oversight and management; others may engage a third-party to execute this function on the organization’s behalf. No matter which path a company might choose, an effective vendor management process is crucial for organizations that have outsourced critical functions to third parties. In this article, we discuss some key components of an effective vendor management strategy.
Conduct a Vendor Risk Assessment
The risk assessment is a critical piece of both initial vendor evaluation and ongoing due diligence with the purpose of helping an organization understand risks presented by their third-party relationships. Updating the risk assessment is also critical when purchasing additional services from an existing vendor, as it is important to understand the new services’ impact on your organization’s risk management strategy.
Ensure that you are not leaving any vendors out of your assessment, even those that may at first glance appear to be innocuous. For example, how much scrutiny have you applied to the vendor that does the housekeeping services for your company? What do you know about their hiring practices? It might seem to be the stuff of Hollywood, but there have been many real-world examples of companies having been infiltrated through cleaning crews, landscapers or the like. Moreover, most incidents involving third-parties are not intentional, so your risk assessment must include not only potentially malicious actions but accidental actions, force majeure, etc. There is a famous anecdote about a cleaning crew that unwittingly unplugged critical equipment in the computer room so they could plug in their floor polishing machine.
Review Critical Vendors At Least Annually
Organizations should be conducting a vendor risk assessment on at least an annual basis, or more frequently if necessary. Vendors that provide critical services to your organization should be constantly scrutinized to ensure that you are effectively managing the risk associated with that vendor. Do not become complacent, it is easy to assume that since you may have done business with a particular vendor for a number of years, that they are a going concern and are being effectively managed. As with any oversight function, believe but verify. Checklists are handy tools to ensure that all relevant attributes associated with vendor oversight are routinely addressed.
Each vendor should receive a risk rating, with the amount of scrutiny applied being commensurate with the risk the relationship poses to your organization. Additionally, you should also be rating how well your vendors perform against the contract metrics or SLA’s (Service-Level Agreements) that are in place. Tracking contract performance over time can be a very useful tool in spotting potential issues before they become major problems that impact your organization and making adjustments, if necessary.
Do Not Just “Check the Box”
Did a key vendor just provide you with their most recent SOC report, a third-party penetration test, or other audit report? When you received these items, what did you do next? In many cases, the answer is “not enough”. Here are a few items to look for when reviewing reports such as these:
- Do not just read the opinion or executive summary. The devil is nearly always in the details. A clean (or unqualified) opinion is an excellent accomplishment for your vendor and a good indicator of what you will find in the report, but there is still more to do! Ensure that you read the report in its entirety and ask questions, if necessary. Also, look for what period the report covers, is it recent, or is there a significant gap between the report coverage dates and now? If so, consider asking your vendor for a “bridge” or “gap” letter confirming that there have not been any significant changes or issues noted since the report was issued.
- Understand the scope of the report. A vendor may publish multiple reports, each with its own scope. It is not uncommon to accidentally be given the wrong report, so take the time to ensure that you have received the report that corresponds directly to the services you subscribe to. Also, be wary of vendors that do not have reports of their own, but instead pass along the reports of their vendors (aka subservice providers) in hopes that you will simply “check the box” and move on once you have a report in-hand. A common example of this would be a SaaS (Software-as-a-Service) or cloud provider that provides you with the audit report of the data center that hosts their servers. While that may be good information to have, its scope will likely not include key aspects of the services being provided by your vendor and should not necessarily be seen as a substitute for your provider having a report of their own.
- Make sure that you have read the details of what was tested, the results, and understand any findings that appear in the report. Yes, there still can be findings you should be aware of that would not necessarily be reflected in the opinion or executive summary. These are typically items the auditor did not feel rose in significance to the point where the control objective or criteria was not accomplished, however, you should still look to understand what these items were, what impact they have to your organization, and determine if any follow-up is merited.
- What is a CUEC? Many types of reports have a section containing Complementary User Entity Controls or the like. Essentially this section details controls that your vendor expects you to be performing in order for their systems to work properly. Unless you are performing the relevant controls identified in this section, there is a chance that your vendor’s controls and processes may not produce the desired result. It is important to document which controls your vendors expect you to be performing, determine their relevancy, and then ensure that you are doing your part by operating the controls they rely upon you to perform. This information may also be in the service agreement that you originally executed with the vendor, so be sure that you understand what activities your organization may be responsible for performing.
Whether the documentation you received was a SOC report, a penetration test, a financial statement, insurance documentation, or otherwise, it is critical that you thoroughly examine all of these documents and ask questions if necessary. If you are unsure of what you are looking at, be sure to consult with someone who does. Do not let your vendor oversight function turn into a form over substance “completion grade” where the details of provided documentation are not being properly scrutinized.
Do not underestimate the value of kicking the tires yourself, there is an immense amount of information that you can glean by simply spending a little time with your vendors. You can learn a lot from an on-site visit, even if you are essentially taking the “guided tour”. How does their office look? Are there papers piled up or are the desks clean? Are there lots of empty workspaces, or are they at capacity? If you visit frequently, are there familiar faces or does it seem like there is a large amount of turnover? A checklist can also be handy for these visits to help guide your observations and discussions while on-site.
These are just a few considerations for your vendor management strategy. We are here to help! Each business is different, and we tailor our approach based on the unique needs and characteristics of your organization. If there are any questions that you might have please feel free to contact us.