In 2013 A Trustwave investigation of 450 data breaches that occurred worldwide found that 63 percent of them were linked to a external third-party product or service of IT administration. As usual, after further investigation, nearly all of the affected companies were pretty confident that their company information was secure with the vendor. The fact is, these breaches still occurred, and will continue to occur if companies do not continuously manage their third parties. So my advice is to raise the bar on the importance of vendor management with your third party community and take a proactive joint approach to securing company information.
The last thing you want to do is over manage, this is in turn drives the relationship into fear and significantly throttles great innovation. Vendor Management today is challenging enough without internally compounding the situation between IT and business stakeholders. Implementing the right vendor management practices will formalise the governance between interactions between all parties. The common issue I have found is many IT departments do not leverage easy to deploy SaaS systems for their third party management. With this lack of centralised business intelligence comes the headache that when there are issues, these departments are simply not able to report their third party interactions relying on email or perhaps an Excel sheet with old data. Furthermore, systems and people are important but the culture of engagement and the leadership of third parties is the core issue in today’s business which influences the below typical poor 3 vendor management practices. I’m sure you’ll recognise these, so 2016, do your best to address these.
1. Ignoring IT Information Security Management related regulatory updates
The ISO 27001 security standard for data management underwent a major revision in 2013 (ISO/IEC 27001:2013). The standard was updated in 2013 from 2005 standard. The is a systematic guide for organisations on how to manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
PCI DSS, which governs the use of payment card, was upgraded to version 3.1 in April 2015 from v3.0. The updates to these and other standards and laws are made to increase best practice Information Security Management. Therefore, not giving them the attention they deserve can lead to major data breaches. So if you take the standards and regulations seriously, or you have an industry obligation to comply with standards, then you should take the updates seriously—and insist your vendors do so as well. Be informed and add regulatory compliance as a standing agenda item for all Third Party governance meetings and ensure all parties agree on which underpinning third parties present the highest risk profile to your commercial relationship.
2. Inconsistent Vendor Communication
Influencing a collaborative third party relationship requires a culture of trust. Best practice Vendor Management typically embodies regular and open communication between your employees and the third parties you work with. If a problem does arise with a vendor or an issue arises on a delivery or performance issue, don’t just assume the third party will automatically solve it to your satisfaction. They will solve it to the level it has contracted to. The question is, how well do your employees understand this? Do they understand the exact product and/or service levels you have actually contracted for?
A very simple and effective practice is to keep the communication lines open, formalise issue management with dedicated monthly meetings, and offer whatever help and advice you can, and ultimately, make sure the issue is resolved. Performance management is key. Implementing good and regular governance meetings helps both parties stop the blame game and work through issues if and when they arise. You never want to find out a vendor problem wasn’t addressed and then start a conversation with your leadership team with “I thought they would take care of this …”
3. Lack of due diligence when on-boarding new vendors
Depending on the size of your company, new vendors are likely being added to your portfolio every month. Many may not require your attention, but how do you know this? a gut feel or you’ve worked with them in your last job? You know that their a multinational so that’s ok.
All vendors will present enough risk to warrant a due diligence activity to ensure the new vendor does not present unnecessary risk to your business. By completing this prior to contracting a new third party will help in negotiating appropriate terms. Each party will understand why a commercial position is being taken during the contracting process. At all times, run due diligence assessments of new vendors before the contract is signed. Early screening will give your employees an idea of what steps will need to be taken once the deal is done and hopefully prevent surprises later on. If a vendor is deemed high risk, then the same due diligence assessment would be conducted on an annual basis.
Of course, in the real world, vendor management is never perfect and requires constant due diligence to protect your company from third-party risk. With limited risk resources, increased outsourcing, and burgeoning external threats, you should work hard to ensure your own company culture is not once that accepts complacency when managing third parties. By addressing these 3 areas, you are more likely to increase vendor performance by building a closer more informed commercial relationship whilst mitigating business risk.