In a recent benchmarking survey on third party risk management, 72% of respondents said they “cannot produce a complete report of all of their third parties quickly and easily.”
While many people believe this information lives in their accounts payable system, the reality is it doesn’t. Nearly all a/p systems capture very limited information about paying your vendor, and absolutely no useful information about the myriad legal, compliance and risk obligations you need to understand and manage with the vendor.
Creating and centralizing profiles on your third parties is the only way to have the visibility, reporting and management capabilities you need to really know (and effectively manage) your vendors and other third parties. At Vendor Centric, we believe that the foundation of a solid profile requires three things.
Tracking basic corporate information about the vendor.
Knowing your contractual obligations so they can be managed.
Understanding the risks to which you are exposed so they, too, can be managed and mitigated.
Here are some additional details on each.
1. Corporate Information
The foundation of your profile starts with capturing basic information about the vendor themselves. This provides visibility into the organization as well as the people with which you’ll be working. At a minimum, your basic
vendor profile should include:
DBA (doing business as) name
Contact information (account manager, billing, help desk)
Date of business formation
Tax ID number
Special classifications (i.e. small, minority, woman or veteran owned)
2. Contract Information
Can you quickly and easily see all of the contractual obligations, terms and conditions you have with your third parties? Most organizations can’t. And that’s not good.
Contractual obligations are serious ones. They obligate you and your third parties to a variety of financial and legal requirements. At a minimum your profile should incorporate the following contractual information:
Type of agreement (master services agreement, statement of work, addendum, etc.)
Brief description of the contract
Start and end dates
Auto renewal provisions
Notification dates for termination
Service level agreements
The more data you pull out of each contract, and include in your vendor profile, the more comfort you can have in knowing that stakeholders understand contractual requirements and a contract manager is actively managing all of the legal obligations between you and your third parties.
3. The Third Party Risks the Vendor Presents
The third component of a complete vendor profile is the identification of the key risks presented by the relationship. Each third party presents a different level of risk when it comes to risk areas such as reputation, operations, transactions and information security. Identifying the risk associated with each vendor by conducting a risk assessment will provide visibility into the appropriate level of due diligence and oversight you need to maintain.
Some of the big risks you want to evaluate and capture as part of your vendor profile include:
Does the third party collect, store and/or process confidential or sensitive data (e.g. nonpublic information)?
Will they be using subcontractors or other suppliers/services providers (i.e. fourth parties) in their delivery of services to you?
Are they on any excluded parties or sanctions lists?
Are any key executives on politically exposed persons (PEP) lists?
Is there any pending litigation or bankruptcies that could impact the health of their organization?
Remember. Knowing these risks only provides you with visibility. A solid due diligence process is where you’ll dig deeper into each risk area to understand what your true exposure may be, and to ensure that you’re comfortable that the risk is being mitigated. This is where you can dig into things like financial health, employment practices and information security practices.