Authored by: John Romano
Vendor Risk Management (VRM) is becoming increasingly complex with more vendors providing more services, often handling sensitive data with specific regulatory requirements. Cybersecurity has been a hot topic for some time now; however, it is just a piece to the puzzle of VRM. VRM is a comprehensive term that refers to all activities related to your third party service providers, including planning, due diligence, contract negotiation, ongoing monitoring and termination, that decreases business uncertainties, legal liabilities or negative performance. Regulators and stakeholders are putting more emphasis on the CEO and C level suite to be held accountable for the actions and risks of third parties.
Outsourcing business operations or using third parties does not absolve organizations of their responsibilities to manage risk. In response to the increase in usage of vendors, suppliers, third party administrators, and information technology partners and increased scrutiny from regulators and stakeholders, insurance organizations have been working towards developing and embracing best practices. Here are some key actions to consider in improving your VRM process:
Identify and inventory third party service providers
Many organizations if asked “How many vendors do you use?” cannot easily answer the question and do not have the information readily available. Management should be aware of the extent of use of third parties, their interaction with consumers, and what activities they perform. Those organizations that do maintain vendor databases may have databases that are sometimes incomplete or the databases may be decentralized, making it difficult to compare and consider all vendors and related risks.
An effective database should be centralized and manage and include all of the third party vendors engaged, a summary of the services, key contacts, and contract renewal dates. Consider conducting an enterprise wide survey to validate current databases or build your central repository.
Identify vendor risks
After completing your repository, a catalog of the key risks the vendor poses should be developed. The identification process may prove invaluable as the exercise, if conducted with key management and staff member personnel, usually results in risks that may not have initially been considered and conversation around the true risk mitigation activities.
Conduct a stratified risk analysis
There are many different methods to conducting a risk analysis and there isn’t a one size fits all approach. Your risk analysis will be dependent on your organization’s extent of use of vendors, compliance requirements, and resources available. In conducting a risk analysis, management should consider vendor risks and service risks.
- Volume of financial transactions processed
- Business impact of vendors not meeting performance standards
- Compliance and regulatory risks
- Consumer facing impact
- Financial impact and cost of service
- Location of the vendor
- Previous data or security breaches
- Extent of outsourcing performed by the vendor
- Performance history
After considering vendor and service risks, a simple stratification process should identify your low risk, medium risk and high risk vendors. The risk stratification process should be updated periodically and reviewed more formally on an annual basis. The risk stratification process would assist in determining the level of ongoing due diligence.
Develop a consistent approach to due diligence
Due diligence activities may vary depending on the type of vendor, the information the vendor has access to or is processing, compliance requirements, and extent of competitors amongst other reasons. The due diligence process for vendors should be defined and consistently applied across business units and automated where possible. Most companies operate in a decentralized environment where the business units manage the due diligence process of the vendors they oversee. In this type of decentralized environment, a robust platform and standardized templates that can be easily modified are key to managing and assessing the due diligence process at an enterprise level. The approach should also be objective. Management should ensure that those performing the due diligence review are separate and, ideally, independent of the requesting function. Limited resources may present a challenge to conduct an independent review and, if that is the case, the department completing the due diligence reviews should have a member outside the department conduct a review of the reasonableness of results. A risk based approach as indicated above should drive the level of due diligence performed. Due diligence should be reasonable, in that too much paperwork will result in “robo stamping” approvals or delay in completing transactions and too little may result in inconsistent processes. Assess your organization’s culture and needs and apply the risk based approach to due diligence to maximize efficient use of resources.
Ensure the contract process is understood, consistent, and includes protective clauses
The first important step in the contract process is to actually have a consistent process to manage contracts. Your contract manager, with the assistance from business unit managers, should develop or establish a process for embedding performance indicators within contracts, including contract review criteria and schedules consistent with the established indicators. While establishing risk and performance indicators is considered best practice and higher on the maturity scale of VRM, your organization can take a step in the right direction by establishing or improving your contract exception and review processes. For example, the exception and review process should address questions such as: when is a contract required for services, when is the contract required to be reviewed by legal, is there a fast track process for pertinent and timely business needs, and is there a remediation process to address contract deficiencies?
As discussed above in inventorying your vendors, the contracts for most vendors originate with the vendor, therefore the clauses that are included are usually in the vendor’s favor. While it’s current practice to accept vendor contracts as is for certain services, for those services involving managing general agents and third party administrators, your organization should ensure there are key clauses such as the existence of errors and omissions clauses, general liability insurance, right to audit clauses, and other indemnification clauses as necessary. Most importantly, there should be mandatory IT and security standards required in contracts and/or the existence of business associate agreements to be signed by each engaged vendor with direct or indirect access to company property and data.
Consider which governance model effectively serves your culture
Depending on your resources and culture, it may prove better to have a decentralized, centralized, or hybrid of the two environments as a governance model. A centralized governance model references that there is a department or dedicated personnel to vendor risk management. A centralized governance and procurement function leads to more control, consistency in processes, flexibility, and a more holistic view of vendor risk management. However, the business focus can be lost with centralization – ‘they just don’t understand my needs,’ becomes the business user catchphrase when describing procurement. Furthermore, in large and complex organizations, centralized procurement and VRM can lead to the department being viewed as a cost center itself, having too much data and competing priorities. A decentralized environment may have a corporate procurement function with the business units or departments being responsible for vendor contracting, risk management, and monitoring. We have observed that once an organization has a decentralized VRM function, culture can become a formidable force against change to a centralized environment.
If you currently operate in a decentralized environment, instead of trying to change the organization structure, focus first on creating a robust platform for vendor risk management. Work towards automating processes, developing templates, and creating accountability through flexible formalization. Flexible formalization means incorporating policies and procedures and adjusting the required templates and protocols for certain departments considering business needs and applicability. Identify a dedicated point person to be involved in the vendor risk analysis compilation and due diligence review function, while leaving the decisions and vetting to the department relationship managers.
Improve tool sets for management reporting and workflow
Most companies are utilizing simple spreadsheets to track vendor inventory and conduct their risk analysis. For centralized and decentralized environments operating with only Microsoft Excel or other spreadsheet tools, your organization should consider taking the next step in maturing your VRM process by implementing team collaboration infrastructure that can be used as the repository for vendor contracts and team sites can be developed to support decentralized environments. Workflows can be created as well which would expedite approval processes and reduce paperwork. There are many service options that could offer these functions with the focus being collaboration and creating efficiencies in your VRM process related to inventorying, contract management, risk analysis, and workflow processes.
Develop a VRM policy
While you are working on each aspect of your VRM program as listed above, your organization should be drafting a VRM policy with input from key department personnel. The policy should be aligned with your organization’s strategy and approved by executive management. The vendor governance policy and procedures should address the following:
- Definition of vendor
- References other internal and applicable policies (system access, accounts payable, general expense, etc.)
- Vendor inventory (master list by department) requirements
- Due diligence
- Risk assessment
- Management oversight and supervision
- Performance metrics
Today’s insurance organizations should evaluate their current third-party due diligence and VRM programs in the context of a risk-based framework that incorporates attributes of consistency, management oversight, objectivity, and reasonableness while working towards making improvements over time.
For more information on this topic, or to learn how Baker Tilly insurance specialists can help, please contact our team.