Think Vendors Are Risky Now? Just Wait…Joe Wilson
Ask vendor & third-party relationship managers whether their job is harder today than 5-10 years ago and you will get “both”. The technology has made the job easier in that communications and tracking are easier, but the fact that the technology made things easier just meant that they were being asked to do more with less. Technology has helped to manage more vendors efficiently, but that means more vendors for each vendor manager along with more detailed reporting, but less time with the same resources.
Tell you something that you don’t already know, right. This has been an ongoing trend for some time now. What is different?
What about risk, really? It is about the fact that there is becoming an accepted notion that companies can be held liable for the behavior of their vendors. Regulators and litigators are saying that “if you had a reasonable expectation to manage risky behavior on the part of your vendors and you didn’t, we are going to hold you liable.”
Big difference from a handful of years ago. Vendor had insurance if they messed up. You fired them when they did. But now, they cause a breach of your customer data and your company didn’t have a program in place to manage the risk, audit them in their practices; your company and your board of directors could be liable. Wow.
It used to be what you had insurance for, right? Chance something bad happens. Not so much anymore. That is why a lot of senior executives and board members are taking this seriously. And so should you even if your company is not yet.
Look, don’t take my word for it. Read up on your industry regulations. Talk to your company’s legal counsel. The winds are shifting towards preventive liability. Not just lip service to “we have a compliance plan on paper. Somewhere. In a closet. We had a meeting about it. Last year. Over drinks.”
Increasingly auditors are looking at companies and really looking at how they are managing compliance and risk. Not just about data breeches:
- Supply Chain – Is your supply chain following best practices. Food, drug, and product quality and safety upstream of a company if they had a reasonable expectation to manage the process. If your company markets a product as safe, then it needs to be safe.
- Contractor and Vendor Safety – if they come into your facilities and then gets hurt. They are going to look at their practices and yours. Did you have policies in place, did they train their people, did you monitor, and did someone audit.
- IT Security –Keeping a lot of people up at night. The risk of hacker breaches are real. Scary to think most of them go unnoticed for a while and many go unreported. It is one thing for a large company to be able to afford all of the security best practices, but now vendors for smaller companies are expected to secure themselves to the same level. How do you ensure that? How do you monitor? Do you audit?
- Ethical “Actor” Databases – did you check out the vendors and their employees before hiring them? Just because they are oversees doesn’t limit your liability in a lot of circumstances. Anti-bribery, anti-money-laundering, Foreign Corruptions Act, etc. How do you ensure that your company is protected?
- Government Regulations – Which ones? There are so many ways a vendor can put you at risk. Part of the reason that you have developed such sophisticated vendor management processes and policies is to limit risk. It almost seems easier to get them to just perform than it does to get them to comply.
- SaaS Applications And Hosted Infrastructure – Welcome to the world of the virtual IT infrastructure where half of your applications and data are in the cloud. Somewhere. How much do you really know about where stuff is and how secure your vendors really are? Are they following best practices? Can you reasonably defend your business practices in terms of managing and protecting customer and corporate data? Can you demonstrate due diligence to pass an audit?
Ok, so a lot of fear, uncertainty, and doubt above. A lot of risk management to think about. Some of it about vendor management, some about IT, some about operations, and a lot about legal. In short, it really requires a cross-functional approach to mitigate vendor risk. I would content that it really requires a formal systematization of the management process with integrated policies, controls, training, and auditing programs that enables the vendor management team to easily create management reports and defendable documentation for auditing without creating a huge overhead on a busy staff.
Because, I don’t think this is going to get any easier. I think it is going to get harder without a good system. Why?
- Conflict between legal requirements on controlling influence and co-employment – the line between a company’s liability and their ability to influence a vendor is going to make things more difficult. The first shot across the bow was the National Labor Relations Board’s decision to hold franchisor’s accountable for hiring practices for franchisees. First step down a slope of the line between contractors, vendors, and company is going to become a finer line. Legal will have to weigh in on how much a company can hold their vendors accountable before the influence becomes possibly actionable.
- Legal requirements to hold company accountable for vendor behavior versus the workload to satisfy auditing– You are going to see an increasing tug-of-war between vendor risk management and vendors work load. If you flip the coin, vendors are already struggling with responding to an enormous overhead in paperwork for regulated industries. In the banking space, law firms are now having to undergo IT audits to certify that their IT practices won’t compromise bank data. Multiply that by 20 different industries, 50 customers per industry, etc.
- Outsourcing going to continue, think supply chain for services, chain risk and accountability – Companies that live with product supply chains are comfortable with supply chain management and liability. They live with it and it is a relatively defined business practice to audit your supply chain. But, you can also imagine that the requirements to certify that your vendor’s vendors are following best practices on the service side is coming. As companies become more regulated, liability becomes more defined; the smart move will be to moderate risk further upstream to mitigate impact of said risk.
- Systemization of vendor risk management; documentation, auditing, controls, requirements, and selection – As auditors become increasingly demanding of “real” practice rather than “lip service” coupled with the amount of regulations and the lowering of the size of company to be regulated; compliance and risk management is a growth business. For vendor management, it is going to be an increasing cost of business and a growing headache for vendor managers. What could be done with a basic CRM system a few years ago, will become a formal program and auditable system in the next couple of years, if not already.
Bottom line, vendor risk manager is not a widespread job title. For every one of those titles in large companies, there are a 1000 3rd party (vendor, supplier, and partner) manager roles. But, increasingly, that part of the job is going to become the driver for increased automation. Your job is tough enough without that additional level of scrutiny and auditing, but will become impossible without a system in the next couple of years. If not already.
Are you feeling it? How do you get ahead of it? How do you do it cost effectively, but with enough flexibility to grow it as demand increases?
Tough questions, but the right time to be asking them is before you are in the middle of a fire storm.