Why vendor management is important
Why is everyone talking about vendor management? Vendor management is an increasingly important topic, attracting the attention of regulatory and governance bodies such as the SEC in the US and FCA in the UK, so why is it that this topic has become more important, and what should your organisation be doing?
Larger enterprises have typically taken vendor management more seriously, simply because of the number of vendors and the amount of money being spent forced the issue and the need. Due to increased focus on resiliency, organisations and regulators are paying closer attention to the risks that vendors can pose to an organisation’s risk profile and their risk management.
This focus has only been enhanced by the data breach suffered by US retailer Target that lost 110 million records containing customer information including credit card information.
While the full details have not been released, what has been made public is that Target was attacked via a connection with a vendor. It is understood that the vendor is a heating and air-conditioning company that had a link into the Target network which was utilised by hackers to breach target’s security on other systems, and to transport the approximately 11 gigabytes of data out of the organisation. The gross expenses for this single event amounted to more than $250 million.
What should your organisation be doing?
There are a number of steps that your organisation should take to ensure that it is has the right vendor management in place to provide the appropriate level of protection.
Firstly, implement a vendor management system. If your organisation already has a vendor management system in place then this is an opportunity to review it, to ensure that it meets your organisation’s current needs and requirements. If a vendor management system is something new to your organisation, then some recommendations include:
• Assess the criticality of your vendors and the services that they provide, if your organisation has a (recent) Business Impact Analysis document then this should be used as input into this process.
• Tier your vendors and the systems that they provide in accordance with the criticality of the services provided and the value of the contract. This means that a low value but critical vendor could be Tier 1, as could a higher value lower criticality vendor.
Check vendor contracts: contracts can age, and the services can move on so the contract no longer reflects the services the vendor currently provides. There can also be circumstances where contracts are not current or not in place at all.
If there are contracts that are not in place, or need updating, this should be remedied promptly; meet with the vendor, make sure that they understand the organisation’s needs and requirements, and ensure that the contract reflects the criticality of the service provided.
For services that there are critical you may want to consider putting in place a back-up supplier and contract to ensure continuation of service if required.
Check service level agreements: service level agreements are the part of the contract that document the reliability of the services that the vendor provides. SLAs are not appropriate for all contracts but for the services and contracts that are appropriate they should be in place, and they should reflect the organisation’s requirements for the service.
Perform vendor due diligence: vendors’ situations can change over time. Having standards and criteria that vendors need to maintain that you can check against — on at least an annual basis — is key to ensuring that your organisation isn’t subject to avoidable disruption due to a vendor failure.
Implement vendor awareness: vendors should be aware of the important part that they play in your organisation’s operations. Some organisations worry that this will in some way damage their ability to negotiate with vendors. Obviously if a vendor should try to exploit this kind of information they probably are not a vendor that you want to do ongoing business with.
Hold regular vendor meetings: you should implement regular vendor meetings. The frequency and structure of these meetings should be a reflection of which tier that vendor occupies. These meetings are your organisation’s opportunity to hold the vendor to account for the service that they have provided since the last meeting.
The meetings should include the following components:
• Review of service and SLAs and vendor performance since the last meeting.
• Review of outages or issues experienced since the last meeting.
• Update on vendor awareness or incident response.
These meetings should always be documented. If there are actions that are outcomes from the meeting then they should be captured as part of the minutes, which should be distributed within a maximum of a few days of the meeting.
Your next steps: these six steps will set you and your organisation on the right path, but they are only as good as the ability to implement, maintain and improve them as needed.
Having implemented the steps, if your organisation is regulated or subject to audits or exams then you should make sure that the implementation and the ongoing execution of your vendor management system is documented, can be evidenced and is achieving the intended business goals.
Darren Wray is the chief executive officer of Fifth Step and has more than 25 years of IT and management experience within the financial services and other sectors. Fifth Step operates globally from its offices in Bermuda, London and New York, providing IT leadership, change management, governance services to executives and senior managers within insurance, investment, legal and banking organisations of all sizes.