What is Vendor Risk Management and Why is it Important?
Greg Kester | July 8, 2019
Any company that works with vendors needs to have a method of managing those relationships in place.
This is true even (perhaps especially) when the vendors don’t play a key role in the company’s business. Vendor Risk Management (VRM) is the discipline used to manage and remediate the risks associated with third-party products and services.
There are inherent risks with every vendor, and much of what can go wrong that lies beyond the primary company’s control. The more essential vendors’ roles are in attaining the company’s objectives, the more detailed the risk management process needs to be.
Different Kinds of Vendors
Vendors are numerous and diverse in the ways they can help companies. Below are a few ways they can be classified.
Services They Provide: Vendors provide all sorts of goods and services to their partners. These can include financial services, custodial services, components, logistics, and much more.
Industry Specialty:The more specialized the business, the more specific the potential services vendors may provide. A company that manufactures drones has a very different list of vendors and third parties than a clothing or grocery store, for example.
Geography: Many companies outsource key functions overseas to save money on labor costs. This brings a host of new risks and difficulties in itself, due to considerations like language, time zone, and political differences.
Typical Number of Vendors
The number of vendors a company uses can vary widely depending on company size, industry, and product or service offered. Very large companies often have tens of thousands of vendors. For example, Procter & Gamble reportedly has 75,000 suppliers; Microsoft has 80,000; and Wal-Mart has about 100,000. For small and medium-sized businesses the number can be in the dozens or hundreds.
Why Are Vendors and Third Parties Important to Business?
The competitive advantages offered by vendors fall into a few key areas.
Specialization: Some products and services are so specialized that contracting with a dedicated company can be better than trying to make or perform them in-house. It’s also impractical for some companies to perform every function, simply because there are so many. Vendors allow for focus on core competencies.
Cost Savings:Many companies use vendors to fulfill essential roles simply because it’s cheaper than trying to do so in-house, which might require significant up front investments.
Globalization:With the rising tide of world commerce, it’s practically required to have vendors that can help companies compete overseas. Things like legal services, translations, and marketing require people who are knowledgeable in other countries and can bridge the many gaps.
What Are the Downsides of Third-Party Relationships?
For all the benefits they offer, third parties have some significant drawbacks. A few key risks are listed below.
Financial Risk:Risk that a third party could damage financial performance. For instance, the company could fall short of revenue goals after a supplier provides a faulty component, impairing sales.
Reputational Risk:The risk arising from negative public opinion created by a third party. Dissatisfied customers, inappropriate interactions, poor recommendations, security breaches, and legal violations are all examples that could harm a company’s reputation and standing.
Regulatory/Compliance Risk:Risk that a third party will impact compliance with laws, rules, or regulations, or from noncompliance with internal policies or procedures. For example, if a supplier violates labor or environmental laws, the principle organization can still be found liable and face fines.
Operational Risk:Risk that a third party could cause loss from disrupted business operations. Examples include a software vendor being hacked, leaving a company with a downed system, or a supplier being impacted by a natural disaster.
Strategic Risk: Strategic risk is the risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals. The use of a third party to perform critical functions can expose an institution to strategic risk.
Recommendations to Manage Vendor Risk
Managing a single vendor can be challenging; managing lots of vendors can be overwhelming. Putting processes and procedures in place to manage vendors can significantly reduce the associated risks of using vendor.
Centralization: The first step to managing vendors is to centralize the management of all vendors. You need to have a single repository for managing all of the documents and data associated with your vendors, including service level agreements (SLAs), statements of work (SOWs), and contracts. All of this information needs to be readily available and easy to access by staff who manage those vendors.
Screening: All vendors should be screened and go through a standard due diligence process prior to onboarding. This screening process can be regularly reviewed and updated as needed.
Risk Scoring: Every business needs its own unique risk scoring metric to help prioritize the aspects that are most critical for vendors to meet. While this will vary based on the nature of the work that the vendor will perform, the score should reflect things like compliance, information security, and quality control.
Ongoing Assessments:Screening does not end with the on boarding process – it should be continued throughout the life of the contract. You can set up alerts and reports to compare your vendors against national and international lists, including regulatory and watch lists, to ensure that problems with your vendors are found as early as possible.
Vendor management extends beyond daily activities. As we’ve shown, there are many risks associated with relying on vendors—and the more essential the vendor service or product, the greater the risks. To ensure that your company is not exposed to unnecessary risks, compliance issues, or negative publicity, risk management needs to be a core part of vendor management.
For more on Vendor Risk Management, check out LogicGate's eBook below on Third-Party Risk: Driving Cross-Functional Alignment Across the Vendor Lifecycle.