In recent years, many organizations have shifted their focus to core competencies. This is because those same companies have been able to increasingly outsource non-core processes to third-party service providers, which can often perform these functions better, more quickly, or at a lower cost.
This shift makes it critical for organizations to implement third-party risk-management programs to better manage and govern third-party vendor relationships. These comprehensive measures can help mitigate threats—such as security breaches, data theft, and loss of data—that could damage an organization’s reputation or disrupt operations.
By building a risk-management framework comprised of just five key activities, organizations are able to better protect client data, promote confidence in end-to-end chain of custody, and meet compliance requirements and commitments.
Types of Vendor Relationships
Organizations today operate in a vastly interdependent environment. Because of this, it’s important for entities to evaluate and fully understand the different types of vendor relationships in which they’re involved.
A key aspect of the evaluation process involves assessing the vendor population. This requires organizations to rank vendors based on their criticality and classification, also known as the type of dependency an organization has on its vendors.
Vendors that aren’t strictly categorized as financial or operational are generally purely transactional and require monitoring on an annual basis to determine if the dependency—and classification—have changed.
Financial Dependency
There’s a financial dependency when the products or services provided by a vendor have a direct material impact on an organization’s financial performance and reporting—a payroll service provider, for example.
For these vendor relationships, organizations should consider obtaining a SOC 1 Type 2 report from the service provider. This report provides attestation of the following:
- Controls design
- Controls operating effectiveness of transactional processing operations at the service provider
Operational Dependency
Alternatively, when products or services provided by a vendor don’t have a direct material impact on the financial performance and reporting of an organization but still impact operational performance, there’s likely an operational dependency. Examples of these types of vendors include web-hosting services and cloud-service providers.
Organizations should consider obtaining a SOC 2 Type 2 report from those vendors where there’s an operational dependency on provided services or products. This report provides attestation of controls design and operating effectiveness of specific trust service criteria as defined by the American Institute of CPAs. Trust service criteria includes the following:
- Security
- Availability
- Privacy
- Confidentiality
- Processing integrity
Unclassified Dependency
Unclassified vendors are those providing products and services that can easily be replaced with other sources. These vendors typically have no impact on an organization’s financial-, operational-, or regulatory-compliance requirements and commitments.
Framework of a Vendor Risk-Management Program
The components of an effective vendor risk-management program generally differ based on the scope and nature of an organization’s outsourced functions. However, effective vendor risk-management programs typically comprise the following five activities.
Risk Assessment and Validation
As a first step, organizations should develop and approve appropriate risk assessments and risk-based policies to govern third-party vendors. Risk assessments can then be performed and updated annually to remain current with new and emerging threats.
At the same time, management can benefit from validating and verifying third-party vendors are in compliance with an organization’s compliance requirements and commitments.
Contractual Provisions
Next, organizations will want to develop contracts with third-party vendors to help ensure a common understanding of agreed-upon goals and commitments. Contractual provisions should also define the following components of the vendor relationship:
- Deliverables
- Service-level commitments and responsibilities
- Terms and conditions
Typically, legal counsel is involved in this process to help address all contractual and regulatory requirements for the industry in which an organization operates, such as the Health Insurance Portability and Accountability Act of 1996 in health care.
Service-Level Agreements
Clearly documenting performance expectations and accountability with service-level agreements (SLAs) is an important part of any risk-management program. Through the use of SLAs, organizations are able to monitor, measure, and assess vendor performance to determine compliance.
SLA monitoring also allows management to properly evaluate vendor performance so they’re able to adequately negotiate renewal terms or, if warranted, transition to a different service provider.
Management Oversight and Periodic Monitoring
Organizations can benefit from ensuring third-party vendors deliver the quantity and quality of services required by contractual SLAs by employing an ongoing monitoring program. Monitoring techniques can include the following:
- Monitoring a third-party vendor’s security controls and financial strength
- Determining the potential impact of an external event on a third-party provider’s ability to fulfill its contractual requirements and commitments
Business-Continuity Plans
Organizations may also want to understand the business-continuity and disaster-recovery requirements for relevant third-party vendors. Management can benefit from verifying third-party vendors maintain a formal business-continuity plan and that disaster-recovery testing is performed periodically. Test results should be communicated regularly to the organization.
We’re Here to Help
For more information about how to improve your organization’s vendor risk management, compliance, or cybersecurity, contact your Moss Adams professional.