Third Party Vendor Management: Oversight Vs. Accountability

Organizations enter into agreements with a variety of third party vendors to support operations and expand their supply chain. However, companies must provide oversight of these entities to make sure they are in compliance. Data protection and information security are priority initiatives as technology becomes a mainstay in business. Industries using a high number of third party vendors—such as finance, healthcare, and transportation—may be overwhelmed by the amount of work required to oversee the supply chain. Often, a few individuals within a single department are tasked with reviewing processes and third party risks. Questionnaires are helpful but are time consuming to review and may be unreliable sources of information.

What can an organization do to manage third party vendors and ensure compliance? By relying on industry best practices to guide decision-making and monitor third party risks.

When Oversight is Overwhelming

As organizations adapt to a wider array of third party vendor relationships, oversight can become a daunting task. This is especially true as companies scale up and enter into a diverse supply chain. In the digital age, cybersecurity has become a predominant concern.

There are countless examples of when incidents occurring at a third party have resulted in devastating impacts for businesses. These include security breaches within the supply chain, private information being stolen, and company fraud. There is less accountability in monitoring third party risks than the internal processes within the organization. Many organizations don’t have effective controls in place but want to promote transparency and accountability in their relationships.

Ensuring Accountability

A critical piece to digital security is knowing how data flows outside the organization and how it is used. To reduce the amount of labor providing oversight and tracking for third party vendors, companies should lean on the guidance of their industry. Industry-approved organizations can provide unbiased, quality control standards for third party vendor relationships. Instead of trying to manage it internally, require third parties to meet the standards set by the industry. Use reputable resources to define the standards and maintain consistency through their input and oversight. When your company contracts with a third party, put your industry’s certification requirements in the contract. If vendors are unwilling to meet your standards, your values are not aligned, giving you the leverage to discontinue the relationship.

Make Reviews Meaningful

Companies use questionnaires to review and oversee third party vendor performance. However, these questionnaires can be unhelpful if not applied properly. It is important to note who completes the questionnaire for the vendor. Is it a sales director, a risk manager, or another department representative? Employees will provide reviews based on individual perspectives. Having the right personnel respond is key to meeting your objectives.

Consider the length of your questionnaire. Longer doesn’t mean better. Lengthy questionnaires can be expensive to print and time consuming for the vendor to complete. Questions should be relevant and specific to the organization. Choose your questions carefully so they are more meaningful to both your company and the vendor. Ask for details beyond yes/no questions for more detailed responses.

Once again, using industry-specific best practices in your reviews will help ensure vendors are compliant and performing to certification standards. Apply your company strategy to the questionnaire design for a consistent approach. Make a digital security rating part of your assessment to study trends over time and determine if the relationship should continue.

Read More

For a more in-depth analysis of third-party risks within the supply chain, download our white paper, Fraud in the Supply Chain.

1 Reply to “Third Party Vendor Management: Oversight Vs. Accountability”

Leave a Reply

Your email address will not be published. Required fields are marked *