This article is part of our vendor management guide.
IT risk is finance risk. Seasoned CFOs know this. And it’s why they treat IT vendor risk management (VRM) with the attention it deserves.
Companies have been outsourcing projects—even entire IT functions—for a long time. In our digital age, vendor management has become more involved because vendors’ roles and responsibilities have evolved in sophistication and complexity.
And so have the risks that some IT vendors may present. Whether you’re reading this as an early-career procurement professional or a deeply experienced financial controller, this guide will help you to learn (and reinforce):
What is vendor risk management (VRM)?
Vendor risk management is the process of ensuring external IT service providers and vendors do not cause negative impacts on your business performance, according to Gartner. Some finance professionals and risk managers prefer to call this process IT VRM.
Why businesses must manage vendor risks
The short answer is that it’s one of several vendor management best practices. The longer answer? It’s just too costly to leave vendor risks to chance. In fact, a recent Deloitte report revealed organizations are more likely to face a ‘high impact third-party incident’ if they haven’t invested in managing vendor risks. Here are some of the risks that VRM can tackle.
Shift sustainable IT partnerships
Environment, Social, and Governance (ESG) risks are growing every day. Vendors who are irresponsible with sustainability, product sourcing, the environment, and industrial relations laws can open you up to myriad dangers. CFOs increasingly have their eyes on ESG and ‘Green IT’ is adding to these considerations. For example, businesses that still rely on data centers are now being encouraged to migrate to the cloud, both to tamp down energy costs and limit the risk of climate damage to data centers.
Prevent service disruption
Relying too much on a single vendor or set of vendors in one country or geographic region can be a big source of risk, too. VRM is not a replacement for a detailed vendor management strategy, although it can inform that process. For example, many tech-focused businesses engage developers in regions as diverse as Eastern Europe and Southeast Asia. Good VRM can help you identify potential repercussions from natural catastrophes, pandemic outbreaks, and geopolitical upheaval that can bear reputational risk if it leads to service disruption.
Avoid regulatory breaches
Unfortunately, there is always a possibility a third-party vendor will break a law or regulation. Compliance rules have become more complex, and many organizations have spent more money to ensure they don't break the law. The Bank Secrecy Act (BSA) and the Office of Foreign Assets Control (OFAC) are just two areas that may apply to your vendor relationships.
Stop data losses and leaks
Information security (infosec) and cybersecurity matter, too. Even before many firms switched to remote and hybrid work, businesses have depended more and more on VPNs, cloud software, and sensitive data sharing. Data breaches, ransomware, and malware are all problems that are here to stay.
5 steps to create a vendor risk management program
For finance teams and SMB owners, most of the vendors you turn to are tasked with managing sensitive customer data, maintaining infrastructure or applications, and ensuring service uptime. As a result, you need a framework to assess their security and regulatory compliance capabilities and determine what (and where) your risk exposure is.
And you need that framework, even if the vendors aren’t technically engaged by the finance unit itself. This is why it's worth setting up a dedicated vendor risk management program. Follow the following steps to establish your own VRM program.
Step 1: Form a risk management team
Start by creating a risk assessment team.
- Consider building this team around experts from finance, legal, IT, security, PR, and compliance.
- A good cross-functional team will ensure the risk management process is informed by potential risks from across the organization.
- Smaller businesses and startups can work with their own financial controller (or a fractional CFO) to map out risks.
This can keep risk management costs in check, especially if the fractional CFO’s risk areas are plotted to financial automation software.
Step 2: Review vendor contracts
Risk managers recently identified the ‘lack of pre-contract due diligence’ as their biggest challenge when managing third-party vendor risks, according to a 2021 report from Prevalent.
This is why contract lifecycle management — the process of proactively and consistently managing your contracts — is so important. Just as it can help you manage vendor negotiations and rein in vendor spending, so too can it help you stay ahead of common risks and move away from high-risk vendors.
Contract lifecycle management can help you set out your approach to the negotiation process, and your review and approval procedure. It will also set out how contracts are preserved and monitored.
Step 3: Check vendor references
Ideally, during the onboarding process you should be checking references before you sign a contract for services. But that doesn’t mean you shouldn’t also periodically review your existing vendor relationships with tools like a vendor scorecard, because key personnel can change, as can business models, along with your vendors’ owner-supplier relationships.
A company background check on vendors should include information such as criminal convictions of employees, bankruptcy cases, regulatory violations, corporate record verification, government sanctions, civil litigation, and social media reputation.
Step 4: Check insurance certificates
A key part of risk management is ensuring that your organization doesn’t bear all the responsibility for problems at a vendor, be they cyber attacks, workplace accidents, or injury to site visitors or the public. Ask your vendors for certificates of insurance and be sure to do so on a regular basis. It’s not uncommon for smaller vendors to purchase insurance to clinch a large project, only to let it lapse after the initial term, leaving both your business and theirs open to the high risks the insurance was first purchased to prevent.
Step 5: Use charge cards to manage vendor spending
Payments to vendors are a key way to manage risk too. Longstanding accounts payable habits can take a while to shift, and for many businesses, there’s a temptation to actually move away from card payments as you scale. For some reason, invoices are seen as ‘safer’, even if they do slow down payment processing and collection time frames.
In fact, card payments can help you manage the risk of vendor overspending, by giving you the ability to limit spending on certain vendors or entire categories of vendors. Importantly, you can then also identify where vendors are being paid for services that are no longer fit for purpose.
What is a vendor risk assessment?
A vendor risk assessment is a thorough review of a vendor’s products, supplies, and services that they supply to your business. By assessing vendors for risks, finance teams can prevent problems before they arise by seeing if the vendor may later cause the business legal, security, or reputational problems.
How to conduct a vendor risk assessment
Here’s a simple run-through of how to carry out a vendor risk assessment:
Create a risk assessment scorecard
A risk assessment scorecard can help you rank any likely risks by their level of potential impact. The criteria and metrics the team uses should be based on the type of business you do, your priority areas, and customer expectations. Ensure that you use this scorecard for each evaluation you do so that this workflow remains consistent and transparent.
Compile a list of vendors
Here you should examine criteria such as what the vendor does for your organization, how important they are to it, where they are situated, what data they handle, and any potential hazards they pose. Make sure to cross-reference vendor lists from your AP department and procurement team to make sure you have a complete list. Regularly update this data.
Ask teams and departments about vendors
Once you have this list, you can then categorize your vendor networks correctly by speaking to the business units that engage them. Using a questionnaire, they can help confirm the vendor's location, whether or not their products or services are mission-critical, how much sensitive data they manage, and whether or not they'll have access to your computer network. For example, your business may have categories for insurance companies, accounting services, marketing consultants, and law firms.
Identify any vendor security risks
Now, you can assess each vendor at the company, product, and service level. A two-tiered approach to this risk assessment process will help you catch any gaps, vulnerabilities, and potential operational risks, further improving your company’s ability to choose the right vendor. To do this:
- Cross-check vendors against key product areas to identify problems like over-dependency, foreign exchange risk, inflation, and in-country risks such as conflict or pandemic outbreaks.
- Cross-check the services vendors provide to ensure they are not prone to the risk of fraud, regulatory change, or their own third or fourth-party suppliers.
Conduct an on-site audit
In rare circumstances, you'll need to conduct an on-site audit to get a more detailed assessment. Although on-site audits may be required for certain types of vendors when external regulators demand a yearly in-person review, consider broadening that pool to include other mission-critical partners who aren’t covered by the regulatory umbrella.
Manage vendor risks using finance automation
Despite the intricacies of vendor risk mitigation, 42 percent of professionals are still using spreadsheets for activities like vendor risk assessments, according to the Prevalent report. A third of people surveyed for the report said they were dissatisfied or disinterested with this approach.
Finance automation is one way to address this dissatisfaction and make VRM more structured. Ramp, for example, can help you set up vendor-specific virtual cards to control spending and prevent shadow IT with simpler vendor approvals. With these cards and approvals in place, you can protect your business should you decide the vendor relationship has gone awry. Learn more about Ramp today.