Small and Mid-Tier Businesses Take Notice: Quality Vendor Risk Management Is Essential to Your Success
According to the Small Business Administration (SBA), a small business is under “500 employees for most manufacturing and mining industries and $7.5 million in average annual receipts for many nonmanufacturing industries.” This definition, of course, comes with exceptions, but for the most part, those are the standards a business needs to meet in order to be considered a small business. Now how do you protect this business from vendor or third-party risk with limited resources?
When hiring a third-party company to work with your small business, there can be a lot at risk, which means there is a lot to take into consideration. For example, if a manufacturing company were to outsource their accounting needs, then the outsourced accountants now have access to all of the manufacturing company’s valuable customer information: phone numbers, addresses, social security numbers, and more. If the accountant’s security is compromised, that not only affects their personal business, but it becomes disastrous for the manufacturing company.
This is why vendor risk management is important. Outsourcing is a helpful and necessary part of nearly every small and mid-tier business, but it is critical that outsourced companies are carefully selected and monitored. This is where risk management comes into play. What is enterprise risk management? The definition is simple. It is the process of minimizing the risks that may result in capital loss.
So What Are the Risks?
At the end of the day, your overall risk is losing money! But that can take form in a number of ways. Property loss, liability losses, reputation loss, fees associated with employee injuries, and business interruption losses are all different ways that you could lose some serious capital. These are the risks that you face every day as a small business owner. Doing business with outside vendors heightens these risks—that is why it is important that you have an adequate vendor risk management strategy in place. To develop this strategy, be sure to consider taking the following steps:
Analyze the Vendor
When considering outsourcing with a new vendor, here are a few ways to decide how much of a risk it is to do business with them.
Running credit is a simple and reliable way to start the process of determining whether someone is a trustworthy vendor. Be sure to thoroughly review the credit of each new vendor you’re considering doing business with before finalizing any contracts. Bad credit equals bad for business.
With all of the recent data hacks and information leaks going on these days, it shouldn’t be difficult to understand why cybersecurity is extremely important. Any issue with cybersecurity could not only potentially threaten your company’s finances but your business’s reputation may also be at stake. Depending on what industry you are in, having lax cybersecurity or doing business with a vendor that doesn’t view cybersecurity as a priority also poses a variety of legal risks. For example, in December 2013, Target’s systems were compromised via a subcontractor who had access to the Target network and was hacked. As a result, over 70 million customers were affected by the data breach. As you can imagine, that wasn’t great for Target. They lost a great deal of business and their reputation took quite a hit.Unlike other aspects of analyzing your vendor, cybersecurity is something that should not just be assessed one time, but should be frequently and consistently assessed and strengthened whenever a new weakness is discovered. Different assessments of cybersecurity include a penetration assessment, having them fill out a questionnaire, having individuals from your Information Technology department take a visit to their headquarters, or provide necessary documentation that outlines their cybersecurity measures. Take a close look at how the vendor handles user data.
- Past-Performance Analysis
In the same way that an employer checks with former employers before hiring new talent, you should also check with other companies that your potential vendor has done business with in the past. Past performance is a huge indicator of what it will be like to do business with a vendor. First-hand testimonies are a great way of getting a full picture of a product or service you’re thinking of buying into.
- Legal Issues
This is often overlooked by small businesses but shouldn’t be. When doing business with a third-party vendor, they are likely to have access to some of your customers’ information. As previously stated, if there is a breach in cybersecurity, your business can face the major threat of multiple class-action lawsuits. With that being said, it is important to take a look at what legal issues, if any, the third-party vendor has had in the past.
Make Sure the Vendor Is Compliant
Anti-Bribery Compliance Risk Management
Depending on what type of vendor you are thinking of working with—be it supplier, distributor, or any other outside party—they are more than likely required to be compliant with one or more anti-corruption laws, and many other regulations concerning factors such as privacy and security. For example, a vendor that does business overseas is held accountable by the Foreign Corrupt Practices Act (FCPA compliance). A few other compliance laws include the Anti-Money Laundering Act (AML), the Federal Trade Commission Act (FTC), and the Health Insurance Portability and Accountability Act (HIPAA). Working with a vendor that is noncompliant could mean fines, legal trouble, loss of credibility, and ultimately bad business.
Be Able to Identify the Warning Signs
If the third-party vendor that you’re considering has a substantial amount of trouble in any of these areas, you should avoid doing business with them.
- Excessive Debt or Cash Flow Issues
Take a look at their books. Is everyone getting paid regularly and on time? Do they have an appropriate ratio of money coming in to money going out at the end of the month? Do they owe a lot of different people or companies that are unrealistic for them to be able to pay off?
- Accounting Inconsistencies
Hire an auditor or use auditing software to analyze the vendor’s accounts. Finding inconsistencies in payroll and account statements is an easy way to detect and uncover fraud, if there is any.
- Employee Turnover Rate
If you find that the third-party vendor has a high turnover rate, find out why. Chances are, you’ll discover that there is an issue with hiring, an issue with training, or an issue with leadership, all of which indicate you may want to stay away from working with this vendor.
Build the Relationship
Once you have thoroughly analyzed the trustworthiness of a vendor, if you decide to move forward, it is time to build the relationship. Creating a specific and detailed contract that outlines the nature of the relationship between your business and the vendor is critical. The contract should not only outline what each vendor will be held accountable for on a deliverable level, but should also detail various standards of performance that will be required of them. After drawing up and signing contracts it is important to keep policy management in mind and revisit these contracts frequently and discuss them with your vendors as necessary.
Have a Contingency Plan
A huge aspect of risk management is figuring out the major risks and then preparing for the worst. Once you have identified internal risks and risks you acquire by doing business with outside vendors it is important that you develop a contingency plan in case a risk becomes a reality. Being prepared for a catastrophe can help you avoid an even bigger catastrophe, or in some scenarios, a total loss.
Continuously Monitor Vendors
This is so important. After you start doing business with a third party, your risk management work is far from over. It is important to continuously monitor vendors to make sure that obligations outlined in your contract are being met, that their cybersecurity is up to par, and they are compliant with all of the laws in their industry and location. As you discover flaws and areas that need to be improved, continue to communicate with your third parties. This will most likely not only benefit your business, but theirs as well.
Obtain Quality Vendor Risk Management Software
Investing in risk management and internal audit software may seem like an unnecessary expense, but in the long run, it will save you time and ultimately money. This software can not only identify and quantify risks associated with third-party vendors, but it can also continuously monitor vendors and help to reduce risks. As your business grows, it can be hard to truly manage and stay on top of all of the risks that it accumulates, and third-party risk management can be an extremely valuable tool to assist with this growth. Using vendor risk management software provides accurate, consistent, ongoing information that is free of human error and can more than likely spot a problem long before any human employee could. Using risk management software is a smart and safe investment that you’ll be happy you have.
If you are interested in discovering the benefits of vendor risk management software specific to your company, please reach out to Aruvio and speak with a helpful consultant.