Vendor management has become increasingly important in data protection and privacy programs. It only takes a review of the most recent amendments to the Health Information Portability and Accountability Act (HIPAA) in which subcontractors are specifically addressed and held accountable by the U.S. federal government to understand the heightened fervor. Additionally, with software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) becoming standard options, if not ubiquitous ones, oversight is no longer a luxury, it’s a requirement. Just recently, the Los Angeles County supervisors voted that any third-party contractors will be required to encrypt electronic sensitive information as part of their contracts.
This new series will present eight elements of a successful vendor-management program and a checklist to help you, the privacy pro, to manage an effective program. Sometimes themes can help us remember information, so for that reason, we’ll use the solar system to guide us through this series: Picture your company as the star around which all vendors revolve—outer space was so much more appealing than an oceanic theme where sharks circle.
Here’s what to expect:
1. Mercury: Why Have a Vendor Management Program?
As the messenger to the gods, Mercury is a fitting representative for the laws, rules, regulations and industry standards that speak to having an effective vendor-management program.
2. Venus: The Internal Elements
Without your internal teams on board with an effective vendor-management program, your program will burn and become toxic. But when it works correctly, your internal team can be the brightest spot in your program
3. Earth: Risk Assessment
It’s essential to evaluate vendors and their risks in the real world as well as to balance those risks, all while taking a global, holistic view.
4. Mars: Pain Points
The red planet serves a signal for danger like consultants working on-site vs. off-site or outsourcing to vendors located in countries rife with corruption.
5. Jupiter: Contract Provisions
Perhaps the largest hurdle in our vendor management program is the contract piece.
- 5a. Contracting with cloud providers is such a big segment of this part, we’ll consider cloud providers as one of Jupiter’s largest moons. Look for a special segment on cloud providers from Oracle’s Pedro Pavón, CIPP/US.
6. Saturn: Ongoing Monitoring
We like Saturn for the rings that wrap around it, similar to the monitoring and ongoing due diligence that we must wrap around our vendors and vendor-management programs.
7. Uranus: Data Breaches
So much of this planet reminds me of breaches: how they are discovered (accidentally sometimes), how they are addressed and how companies proceed afterward.
8. Neptune: Ending the Relationship
Like Neptune, the termination of a contractual relationship may be overlooked until the end, may happen faster than the speed of sound and be a rocky event.
9. Pluto: A Checklist
Pluto is not really a planet, but it is a good body to know.
Chapter One
Mercury—Why Have a Vendor Management Program?
It seems the idea of vendor management is a ubiquitous one, regardless of how ineffective or nonexistent one’s vendor-management program (VMP) may be. The 2014 Vendor Risk Management Benchmark Study by Shared Assessments in collaboration with global consulting firm Protiviti found that vendors fail to meet vendor risk-management guidelines and do not invest in the resources to meet best practices despite the current regulatory environment. There are numerous reasons to have an effective VMP, none of which are mutually exclusive. In fact, being successful on one front might see contemporaneous success on additional fronts, perhaps even unexpectedly beneficial.
The reasons to have a VMP fall into several large categories: legal obligations, corporate success and fiscal stewardship.
- Legal obligations
In many cases, the laws or regulations that govern any given industry require that you manage third-party risk. For example, one of the more well-known examples is mandatory oversight of business associates under HIPAA and more recently, downstream business associates as provided under the Health Information Technology for Clinical Health Act. Similarly, national banks and federal savings associates must maintain oversight of third-party relationships, as provided by the Federal Reserve Act, implemented in 12 CFR 223. Various other laws and regulations also require vendor management, such as in the case of the U.S. Federal Food and Drug Administration, which requires oversight of quality vendors, and Massachusetts’ law 201 CMR 17, which provides standards for the protection of personal information of state residents.
Global companies that are interested in cross-border transfer of information out of certain countries must also pay attention to outsourcing. The data protection regimes in Europe require controllers to provide direction to and monitoring of their data processors. Additionally, acceptable mechanisms for cross-border transfers of data—including binding corporate rules and the EU-U.S. Safe Harbor agreement—require companies to have adequate assurance that onward transfers of personal data will be protected by those providers and vendors. This level of assurance is also required in many of the new laws in the Asia-Pacific region, including the Australian Privacy Principles and Hong Kong’s Personal Data Privacy Amendment.
Contracts may also require oversight of subcontractors. If you are required as a vendor to destroy or return information at the termination of a contract, this requires you to exercise diligence over your subcontractors to also assure any information shared with them is also returned or destroyed. If you identify your legal responsibilities early, you can quickly identify which vendors impact particular activities.
- Corporate Success
Oftentimes, outsourcing is done to supplement a company’s own abilities, either for internal operations or the product or service it’s selling. A successful vendor becomes a partner and can help execute on corporate goals, be they internal or external.
If you are contracting out for particular services to manage internal operations, such as human resources, payroll, risk management, legal or financial, then proper oversight of these vendors is required for the proper and ethical management of your own company. You can always delegate authority, but you cannot delegate accountability. These vendors may possess an expertise that you do not and may be able to provide it in an efficient and cost-effective manner, but it still means that you owe it to your employees, your management and your board to exercise proper oversight.
Externally, most companies probably fit into a larger scheme. The services or products they sell supplement another company’s efforts. If you are the first tier, then it is your name on the contract with the responsibility for service-level assurance or a certain number or quality widgets. If your vendors are not able to deliver on time and with the expected performance level, then your business may be in jeopardy.
- Fiscal Stewardship
In many ways, a VMP is financially responsible. Properly organizing and executing a VMP protects your corporate outsourcing investment. Vendors can be assessed at inception for varying levels of risks and capabilities and placed on a review schedule. Evaluating vendors on a regular schedule according to defined parameters, builds in predictability, establishes expectations and identifies problems early. Reaction time costs money.
An effective VMP can help you understand, manage and control cost. Centralizing the process helps spot where economies can be made either by leveraging for best price or eliminating duplicate vendor types. Over time, vendors become strategic partners based on proven practices, accountability, responsiveness and integrity. If successful, you can avoid some of the costs of constantly replacing vendors. Although a VMP can be time-consuming and take some effort to implement at an effective level, once going, it really provides a solid return on investment.
In the next installments, we will discuss elements of a successful VMP. Each of these elements can exist without being within a consolidated VMP. If you need to improve or learn about each one of these, please take what knowledge you can. However, if you want to build an effective VMP, then take each of these elements and consider how they would fit together in your organization.