IT risk is finance risk. Seasoned CFOs know this. And it’s why they treat IT vendor risk management (VRM) with the attention it deserves.
Companies have been outsourcing projects—even entire IT functions—for a long time. In our digital age, vendor management has become more involved because vendors’ roles and responsibilities have evolved in sophistication and complexity.
And so have the risks that some IT vendors may present. Whether you’re reading this as an early-career procurement professional or a deeply experienced financial controller, this guide will help you to learn (and reinforce):
Vendor risk management is the process of ensuring external IT service providers and vendors do not cause negative impacts on your business performance, according to Gartner. Some finance professionals and risk managers prefer to call this process IT VRM.
The short answer is that it’s one of several vendor management best practices. The longer answer? It’s just too costly to leave vendor risks to chance. In fact, a Deloitte report revealed organizations are more likely to face a ‘high impact third-party incident’ if they haven’t invested in managing vendor risks. Here are some of the risks that VRM can tackle.
Companies are using more SaaS products than ever before. A recent study by Zylo found that most companies add an average of eight applications per month. Exacerbating matters is the ease of acquiring a new application. In most cases, you can sign up for a new SaaS application with just a couple of clicks and a credit card number.
This has led to what is known as Shadow IT, which is the event(s) of employees acquiring software and services outside the ownership or control of centralized IT organizations. As companies grow, so do the number of SaaS applications required to sustain the business. Finance teams struggle to manage the sheer volume of SaaS vendors, and even worse, IT departments face an uphill battle of securing a constantly-growing cloud-first environment.
Environment, Social, and Governance (ESG) risks are growing every day. Vendors who are irresponsible with sustainability, product sourcing, the environment, and industrial relations laws can open you up to myriad dangers. CFOs increasingly have their eyes on ESG and ‘Green IT’ is adding to these considerations. For example, businesses that still rely on data centers are now being encouraged to migrate to the cloud, both to tamp down energy costs and limit the risk of climate damage to data centers.
Relying too much on a single vendor or set of vendors in one country or geographic region can be a big source of risk, too. VRM is not a replacement for a detailed vendor management strategy, although it can inform that process. For example, many tech-focused businesses engage developers in regions as diverse as Eastern Europe and Southeast Asia. Good VRM can help you identify potential repercussions from natural catastrophes, pandemic outbreaks, and geopolitical upheaval that can impact your company's reputation if it leads to service disruption.
Unfortunately, there is always a possibility a third-party vendor will break a law or regulation. Compliance rules have become more complex, and many organizations have spent more money to ensure they don't break the law. The Bank Secrecy Act (BSA) and the Office of Foreign Assets Control (OFAC) are just two areas that may apply to your vendor relationships.
Information security (infosec) and cybersecurity matter, too. Even before many firms switched to remote and hybrid work, businesses have depended more and more on VPNs, cloud software, and sensitive data sharing. Data breaches, ransomware, and malware are all problems that are here to stay.
For finance teams and SMB owners, most of the vendors you turn to are tasked with managing sensitive customer data, maintaining infrastructure or applications, and ensuring service uptime. As a result, you need a framework to assess their security and regulatory compliance capabilities and determine what (and where) your risk exposure is.
And you need that framework, even if the vendors aren’t technically engaged by the finance unit itself. This is why it's worth setting up a dedicated vendor risk management program. Follow the following steps to establish your own VRM program.
Start by creating a risk assessment team.
This can keep risk management costs in check, especially if the fractional CFO’s risk areas are plotted to financial automation software.
Risk managers recently identified the ‘lack of pre-contract due diligence’ as their biggest challenge when managing third-party vendor risks, according to a 2021 report from Prevalent.
This is why contract lifecycle management — the process of proactively and consistently managing your contracts — is so important. Just as it can help you manage vendor negotiations and rein in vendor spending, so too can it help you stay ahead of common risks and move away from high-risk vendors.
Contract lifecycle management can help you set out your approach to the negotiation process, and your review and approval procedure. It will also set out how contracts are preserved and monitored.
Ideally, during the onboarding process you should be checking references before you sign a contract for services. But that doesn’t mean you shouldn’t also periodically review your existing vendor relationships with tools like a vendor scorecard, because key personnel can change, as can business models, along with your vendors’ owner-supplier relationships.
A company background check on vendors should include information such as criminal convictions of employees, bankruptcy cases, regulatory violations, corporate record verification, government sanctions, civil litigation, and social media reputation.
A key part of risk management is ensuring that your organization doesn’t bear all the responsibility for problems at a vendor, be they cyber attacks, workplace accidents, or injury to site visitors or the public. Ask vendors for certificates of insurance and be sure to do so on a regular basis. It’s not uncommon for smaller vendors to purchase insurance to clinch a large project, only to let it lapse after the initial term, leaving both your business and theirs open to the high risks the insurance was first purchased to prevent.
Payments to vendors are a key way to manage risk too. Longstanding accounts payable habits can take a while to shift, and for many businesses, there’s a temptation to actually move away from card payments as you scale. For some reason, invoices are seen as ‘safer’, even if they do slow down payment processing and collection time frames.
In fact, card payments can help you manage the risk of vendor overspending, by giving you the ability to limit spending on certain vendors or entire categories of vendors. Importantly, you can then also identify where vendors are being paid for services that are no longer fit for purpose.
A vendor risk assessment is a thorough review of a vendor’s products, supplies, and services that they supply to your business. By assessing vendors for risks, finance teams can prevent problems before they arise by seeing if the vendor may later cause the business legal, security, or damage the organization's reputation.
Here’s a simple run-through of how to carry out a vendor risk assessment:
A risk assessment scorecard can help you rank any likely risks by their level of potential impact. The criteria and metrics the team uses should be based on the type of business you do, your priority areas, and customer expectations. Ensure that you use this scorecard for each evaluation you do so that this workflow remains consistent and transparent.
Here you should examine criteria such as what the vendor does for your organization, how important they are to it, where they are situated, what data they handle, and any potential hazards they pose. Make sure to cross-reference vendor lists from your AP department and procurement team to make sure you have a complete list. Regularly update this data.
Once you have this list, you can then categorize your vendor networks correctly by speaking to the business units that engage them. Using a questionnaire, they can help confirm the vendor's location, whether or not their products or services are mission-critical, how much sensitive data they manage, and whether or not they'll have access to your computer network. For example, your business may have categories for insurance companies, accounting services, marketing consultants, and law firms.
Now, you can assess each vendor at the company, product, and service level. A two-tiered approach to this risk assessment process will help you catch any gaps, vulnerabilities, and potential operational risks, further improving your company’s ability to choose the right vendor. To do this:
In rare circumstances, you'll need to conduct an on-site audit to get a more detailed assessment. Although on-site audits may be required for certain types of vendors when external regulators demand a yearly in-person review, consider broadening that pool to include other mission-critical partners who aren’t covered by the regulatory umbrella.
Despite the intricacies of vendor risk mitigation, 42 percent of professionals are still using spreadsheets for activities like vendor risk assessments, according to the Prevalent report. A third of people surveyed for the report said they were dissatisfied or disinterested with this approach.
Finance automation is one way to address this dissatisfaction and make VRM more structured. Ramp, for example, can help you set up vendor-specific virtual cards to control spending and prevent shadow IT with simpler vendor approvals. With these cards and approvals in place, you can protect your business should you decide the vendor relationship has gone awry. Learn more about Ramp today.