The Evolution of Vendor Oversight in the Post-Pandemic World
Joe Sergienko and Michael Canale
It is time to accelerate innovation of the organization’s approach to vendor management.
The COVID-19 pandemic has brought about unprecedented economic disruption as companies have moved from offices to working from home. The traditional ways of working evolved rapidly, and companies are now focused on monitoring and increasing productivity from a remote workforce. Organizations are accelerating their reliance on third-party vendors, partners, supply chains and external digital services.
Therefore, it is time to accelerate innovation of the organization’s approach to vendor management.
The traditional vendor management model focuses primarily on relationship and contract management. With the advent of the Consumer Financial Protection Bureau and a general increase in regulatory focus, including the recently released OCC Bulletin 2020-10 highlighting risks from third-party cloud computing, data aggregation, FinTechs, general third-party oversight and board responsibility. The requirements for vendor oversight have expanded into liability for how vendors meet regulatory obligations, despite not being regulated entities. The resulting due diligence, periodic on-sites, manual sample testing of transactions/accounts, complaints monitoring and information-security audits require significant internal and external resources.
Most of these tasks have been managed through spreadsheets and collaborative software, both of which are inefficient and cumbersome to administer. Now is the time to assess vendor management and implement a flexible and scalable vendor-monitoring program leveraging technology and automation.
Focus areas to review should include:
Evaluate what your program currently monitors (e.g., contract performance, strategic risk, reputational risk, compliance risk, business continuity and security/privacy). Identify gaps or areas for improvement.
Review service-level agreements to ensure appropriate monitoring of networks and devices and build familiarity around network authentication requirements and remote work policies.
Confirm your vendor’s event-notification process is in place and working (e.g., security breaches, operational disruptions, staffing/management changes and regulatory action).
Assess new areas of risk due to the post-pandemic world:
Data security: Heightened risk due to vendors working remotely; understand how data is being transferred, if VPNs are being used, who has access; assess potential risk of confidential/sensitive data being printed or risk of screen shots, cell phone pictures, email or chat windows.
Artificial intelligence/machine learning: As automation increases, cybersecurity assessments will become more critical and complex.
Prepare vendor contingency plans and offboarding process: Businesses will be impacted by the pandemic and resulting economic fallout. You should have a contingency plan for critical vendors and an offboarding process that includes cutting off system access, disposing of data and collecting outstanding payments.
Review the time/effort and costs associated with current oversight programs. Identify areas to increase efficiencies and reduce costs.
Now is a great time to make adjustments to vendor management programs and address risks posed by the pandemic and the quickly changing business landscape. It is also time to think differently about how to administer vendor oversight and move beyond the traditional annual or semiannual reviews. Technology is available to implement continuous monitoring surveillance of vendors, which can reduce risk and cost of oversight. Below are some ideas to consider:
Develop a new vendor management group or program focused on strategic, reputational, operational, financial, compliance/legal and security/privacy risks, with the goal of reducing costs and preventing future disruptions.
Develop an industry consortium to reduce the cost of vendor oversight through combining resources, best practices, and oversight efforts where reviews become less periodic and are more targeted/leverage data analytics and surveillance technology.
Expand monitoring beyond cyber and data to include compliance and other evolving risks, such as financial viability and business continuity status.
Develop disruption scenarios to test the vendors ability to perform.
Leverage technology to detect reputational risk in the news, on social media and in other online sources.
If the pandemic has taught us one thing, it is that businesses can adapt quickly. Now is the time to think strategically about how vendors are used and managed, especially as they become a more integral part of operations.