Is it on your risk radar?

By John Rostern

Surprisingly, it's only recently vendor risk management (VRM) has gained recognition in terms of overall risk to the enterprise. Up to now, it’s largely been flying under the radar for a variety of reasons.

The unfortunate reality is most organizations do not have robust VRM programs supported by strong project management, which leads to risks that have not been recognized, quantified or managed properly.

Consider the degree to which any organization relies on a myriad of vendors to support day-to-day business operations. Then look at the impact the actions of a vendor or vendors could have on those operations. In many cases, outsourced service providers of everything from payroll to information technology (IT) services to distribution centers are seamlessly integrated into your business processes. In fact, you want these providers to be fully integrated to maximize your return on investment and/or cost effectiveness attributable to outsourcing.

Outsourcing does, however, increase risk outside of the organization. It’s now critical organizations of all kinds, across all industries, assess vendor-related risk and execute an appropriate risk management strategy. As you would expect, the initial impetus for this discipline came from regulated industries such as financial services. This was fueled by the early adoption of IT-related outsourcing strategies by banks. The regulators took a keen interest and wanted to know how banks assessed and managed these risks since the ability of a bank to properly vet and select an outsource provider directly affects the institution’s safety and soundness. As the pace of outsourcing has increased, so has the level of regulatory concern.

With more and more organizations in all types of industries turning to outsourcing, the need for effective VRM programs has skyrocketed. The good news is vendor management is not excessively complex. It must, however, be considered an ongoing process — not a one-time event.

Stage 1 - Initial Ad Hoc Stage Stage 2 - Repeatable but Intuitive Perform pilot Vendor Risk Management Program Improve analysis and the risk-ranking process Perform (limited) vendor assessments Evaluate the process to-date Initiate ongoing process improvement Stage 3 - Defined Process Stage 4 - Managed and Measurable Review risk universe  Perform trend analysis Integrate with organization's ERM process; provide evidence for reduced capital allocation Refine questionnaires Plan integrated assessments/site visits Perform vendor assessments - expand in scope Institute dynamic risk ranking Evaluate process-to-date Continue process improvement

An effective VRM Program is composed of four major areas:

1. Risk analysis – Risk analysis makes it possible to objectively assess and categorize the inherent risk of the function to the organization. The basic tenets of risk analysis apply equally to vendor risk. The difference is that risk must be assessed from two perspectives: 1) the inherent risk or criticality of the function and 2) the risk profile of the vendor(s).

The assessment of inherent risk will determine, among other things:

• Is this process/function a viable candidate for outsourcing?
• Is a single vendor or multiple vendor approach appropriate?
• What level of ongoing monitoring and oversight will be required?

Answering these three important questions will provide the foundation for an evaluation of outsourcing options and vendors. It will also form the basis for identifying a viable approach to risk management for the process(es) being outsourced.

2. Due diligence – To begin, organizations should define and implement a comprehensive due diligence process for selecting and assessing potential vendors. This will provide visibility into a vendor’s ability to deliver its services, its internal processes and organization supporting service delivery, the existence and effectiveness of internal controls and the vendor’s financial viability.

Each existing or prospective vendor must be reviewed, based on the criteria established through risk analysis. Good questions to ask include:

• Is the vendor capable of doing what we need done; is the staff adequately trained?
• Is the organization financially stable?
• Does this vendor, in turn, rely on other third parties for the services it will provide to us?
• What percentage of the vendor’s business is in an industry similar to ours; how long has the vendor been providing services in our industry?
• Is the vendor’s technology infrastructure secure and well-managed?

Be sure also to check whether there are any regulatory or civil judgments against the vendor, and check all references.

3. Contract management – Develop a comprehensive process for the review and approval of vendor contracts, paying particular attention to whether the scope and fees for each type of service are clearly defined. There should be a documented procedure for changing the scope of work, and regulatory requirements on the part of the vendor should be included in the contract.

Additional contract management questions include:

• Does the contract include a “right to audit” clause?
• Will a SAS 70 Type II or ISAE 3402 be provided?
• Are service-level agreements and service-level reporting addressed in the contract?
• Are there penalties for failing to meet service levels?
• Are the performance standards specific and measurable?

4. Monitoring and oversight – Because vendor risk management is not a one-time event but a process, any successful VRM Program must include ongoing monitoring and oversight. Larger organizations may consider establishing a dedicated Project Management Office (PMO) to support the VRM Program function. Where the number of vendors or the perceived exposure is more limited, a shared or ad hoc PMO may be adequate.

Conclusion

Outsourcing can create obvious advantages for business of all kinds. With these benefits, however, come risks that must be managed. Implementing a comprehensive, well-defined Vendor Risk Management Program allows management to mitigate vendor-related risk and align and integrate it into the organization’s overall risk management posture and practices.

John Rostern is a Risk Advisory Services Director with Jefferson Wells. He can be reached in the Melville, N.Y. office at 631 247-2555 or via e-mail at john.rostern@jeffersonwells.com.