How Secure Is Your Supplier?

By Margaret Millett

Companies use third-party vendors today to help accomplish their goals and objectives in a cost effective manner. However, by using third parties or service providers the board of directors and senior management are not relieved of their supervision responsibility. They must take the necessary steps to ensure third-party products and/or services are safe and sound, and comply with applicable laws, regulations, and security best practices.

Effective vendor oversight requires ongoing due diligence for providers to adjust for changing market and organisational risks. However, many organisations struggle to maintain their contracts and meet regulatory guidelines for due diligence. It is therefore important to establish standards and processes for monitoring and reviews which are structured and well defined, to ensure that there is consistency across the supplier network.

Vendor management policy
Many organisations have different business models and a complex network of assets located around the world. Third-party vendor relationships exist globally to support this business model. Given this key role, it is essential that companies seek to determine the ability of vendors to recover. They must ensure the effective management of vendor relationships and assess risk and compliance with company policies and controls while managing vendor relationships.

The systems and procedures for managing vendor-related risks, however, can be disjointed and ineffective, leading to significant control gaps throughout the lifecycle of a company-vendor relationship, from vendor selection to vendor termination. Ownership of the end-to-end vendor management process and key stakeholder responsibilities should be clearly assigned, to diminish company losses and vendor risks. A process to maintain risk ratings for critical vendors should be researched and implemented.

To ensure effective, regular oversight, a vendor management policy and governance framework should: identify how an organisation will inventory the vendors; identify the measures an organisation will use to assess the activities they perform; and identify the risk criteria that will apply to evaluate their controls. The process should also evaluate the quality of their crisis management plans, business continuity plans, and disaster recovery plans, testing methodologies, recovery time objectives, recovery point objectives and their use of additional third-party relationships.

Risks in the relationship
Vendor risk management is a concern for many organisations because vendors are key enablers to the current and future delivery to customers. There are a growing number of risks associated with outsourced vendors, particularly as the current financial environment is creating stress in the supply base with the potential to impair an individual company’s dependability and performance.

All organisations have known challenges in managing risk. Companies which do not secure effective vendor management programmes can suffer significant losses. There are no standards of evaluation and the triggers for contingency monitoring are undefined.

The following are potential liabilities:

  1. Lack of an end-to-end process and tools which initiate effective risk management deployment if the need arises.
  2. Diverse but uncoordinated efforts to address gaps in overall programme management (for example, info security, business impact analysis, insurance and contingency planning).
  3. Lack of specific responsibilities and exposure tolerance for key vendors.
  4. Lack of guidance on criteria for vendors at business unit or corporate level.

To facilitate the effective management of vendors, organisations should look to assemble a task force to assess the scope of vendor management within the company and best practices. This task force should address:

  1. The agreed definition and scope of vendor management for the organisation.
  2. The results of the recent internal audits (if available).
  3. How vendor management should look within the company.
  4. The next steps are needed to move towards an enterprise wide vendor management programme.
  5. Stakeholders who should be involved to address those next steps.

In addition, executive management needs to consider the following areas:

  1. Who owns the risk?
  2. What organisational structure is best suited to address the risk?
    • Centralised
    • Business unit
    • Hybrid
  3. Risk mitigation strategy
    • Controls – evaluate the effectiveness of controls that ensure vendor service levels are being measured, monitored and reported to management and the vendor.
    • Risk specific mitigations – receive recommendations on risk mitigation actions.
  4. Efficiency gains – existing significant opportunities for improving efficiency.

Executive management also needs to think about where the maturity level should be. Consideration should be given to:

  1. Stakeholder involvement and buy-in outside of the primary owner (for example, procurement).
  2. Integration of vendor/supply collaboration with business strategy and operations.
  3. Value realised.
  4. Vendor/supply relationships management programme maturity.

Formulating a strategy
A corporate vendor management programme will not be established after one meeting. The organisation must establish what it wants to incorporate into its vendor strategy and this will require time. The issue will have to be examined from all angles before the final policy is formulated. Some options are:

Level 1 – No formal programme.

Level 2 – A vendor management programme is established within each of the business units. Targeting and measurement of opportunities to manage risk and create value is nominal.

Level 3 – Enterprise-wide vendor management with clear links to business strategy is instituted. There is a systematic approach for targeting and measuring the value and risk.

Level 4 – Strategic planning occurs and specific responsibilities are assigned, activities, behaviours, and capabilities are embedded in all business processes as a part of the larger framework of organisational resiliency.

It is also necessary to establish which model will be adopted for the programme. These can be divided into three types: centralised; centre-led and decentralised. Each of these models has its own advantages and disadvantages.

Centralised model

Pros

  • High degree of standardization
  • Streamlines communication and decision making

Cons

  • Difficult to build and maintain internal business partner buy-in
  • Risk of disconnect with needs of the business

Centre-led model

Pros

  • Supports alignment of supplier relationship manager office with needs of business
  • Balances standardisation and sharing best practices with high stakeholder engagement

Cons

  • Creates governance complexity and requires a high degree of effectiveness in cross-business unit collaboration

Decentralised model

Pros

  • Supports alignment of supply relationship manager with needs of business

Cons

  • Effectiveness of collaboration with suppliers is variable
  • Undermines alignment between sourcing and management of post-award interactions with suppliers
  • Relationships with crossbusiness unit suppliers significantly sub-optimised

The model selected should best serve the company’s particular needs and have the most effective vendor accountability.

An external questionnaire should be created to document the business continuity management requirements. The objective should be to understand the BCM programme used by the vendor in support of the organisation. All personnel involved with operational readiness of the company should be surveyed for their feedback. The vendor responses will help an organisation determine their resiliency and the role a vendor plays in that adaptability.

A vendor questionnaire should consider the following areas with detailed questions about the support of the organisation:

  • Background information
  • Contractual agreement/Service Level Agreement
  • Business locations
  • Risk assessment
  • Business impact analysis
  • Crisis management plans
  • Business recovery plans
  • Network infrastructure plans
  • Business continuity plans
  • Disaster recovery plans
  • Training
  • Compliance and audit
  • Internal audit
  • External audit
  • Testing
  • Vendor use of third party vendors associated with support to an organisation

An additional section should be included to ask detailed data centre questions. Below are some recommendations:

  • Physical security
  • Environmental controls
    • Fire exposure
    • Water damage
    • Air conditioning/heating
    • Electrical
    • Housekeeping
  • Testing

Periodic performance reviews should be conducted to ensure service levels are being met and that sensitive information provided to the vendor has not been compromised. Monthly reviews are recommended.

Responses deemed to require the awareness and attention of executive management should be added to the ‘Vendor risk/SLA dashboard’ which is provided to management committee on a regular basis. Below are additional points to consider:

  1. Has the vendor fully met the performance and SLA expectations over the past thirty days?
  1. Has there been any disruption in workflow based on vendor performance in the past thirty days?
  1. Has the vendor provided warning or created the expectation that workflow may be disrupted for any reason during the next thirty days?
  1. Has the vendor reported a breach of their network, systems or facilities in the past thirty days?
  1. Has the vendor provided information/results on tests of their internal security (physical or systems) controls conducted within the past thirty days?
  1. Has the company conducted tests of the vendor’s internal security (physical or systems) controls within the past thirty days (and only with the vendor’s explicit, documented permission)?

As more companies face the challenge of increasing productivity, BC managers must be alert to potential pitfalls in the implementation and supervision of outside vendors to meet increasing demands. Risk is a constant factor that must be addressed and evaluated on a regular basis and management must always be on the look-out for potential risks with any vendor partnership.


About the Author
Margaret J Millett, MBCP, is director of global continuity services at eBay Inc. She can be reached at mmillett@ebay.com.