If we're using the solar system to represent each chapter in this series, this chapter's planet would be Mars: the pain points.The red planet serves a signal for danger, like consultants working on-site vs. off-site or outsourcing to vendors located in countries rife with corruption.
As the fourth installment in developing an effective vendor management program, we now look at some of the challenges. There are an infinite number of challenges related to vendors, but this chapter will highlight those that seem to cost time and effort related both to new vendors and managing vendors over the life of the contract.
Contractors
If the contractors come from a staffing agency, many of the on-boarding issues should be addressed when you first contracted with the agency. However, keep in mind that agencies may work on a nonexclusive contingency basis, meaning the contracts may be managed with each individual hire rather than an ongoing contract with the agency.
There are many challenges inherent in using contractors. Some contractors may come from a staffing agency and some more directly. In both scenarios, there is the added complexity of whether these contractors will work onsite or offsite; will have remote access; will use their equipment or yours; on-boarding processes and more. Plus, contractors may fall into two buckets: pure manpower and specific skills. Additionally, some contractors may be temp-to-hire. This key difference often trickles through to how the contractors are managed.
The benefits of using contractors are numerous and include financial; performance evaluation; staffing flexibility and scalability, and less exposure to some types of employment lawsuits. But the challenges are likewise numerous and should be weighed against the benefits.
They include:
- Appropriate oversight to avoid contractors being classified as employees, and this also varies between states
- Potential government audits related to the above
- Copyright issues in works for hire
- Exposure to lawsuits for injuries on the job (no workers’ comp, remember?)
- Termination via contract terms
- Privacy and data protection concerns (especially if off-site or remote)
- Passing through/down contractual terms (downstream business associates), especially if you negotiate all business associate agreements, i.e., how do you push down all the various provisions?
If the contractors come from a staffing agency, many of the on-boarding issues should be addressed when you first contracted with the agency. However, keep in mind that agencies may work on a nonexclusive contingency basis, meaning the contracts may be managed with each individual hire rather than an ongoing contract with the agency.
How do you address these issues? Embrace independence.
If you use contractors, set the expectations and permit the contractors to meet them. Have a clear on-boarding process that includes critical policies. If you provide the equipment, ensure this equipment is set up correctly with the right software and protections and include a remote-wipe ability. If they provide the equipment, ensure that the policy expectations are in the contract and, depending on how long you use the contractor, include an audit provision. It is not likely that an individual contractor comes with a SOC2 report.
Cloud Vendors
The cloud. The cloud. At this point, I can't even remember the first time I heard of this now-ubiquitous work model. At first, companies were strongly cautioned against using cloud vendors and, while that may still be true, it is nearly impossible to avoid the cloud altogether. Thus, rather than run from something that cannot be defeated, accept the potential that the cloud offers with a healthy dose of pragmatism and realism.
The IAPP defines the cloud as “the storage of information on the Internet. Although it is an evolving concept, definitions typically include on-demand accessibility, scalability and secure access from almost any location. Cloud storage presents unique security risks.”
The cloud provides infrastructure as a service (IaaS), platform as a service (PaaS) and, most commonly known, software as a service (SaaS). Most of the challenges with the cloud center around lack of control, visibility and security along with a constantly changing environment and working with legacy systems. Here is my threshold question: Where are the servers? And by that I mean the main servers, the disaster recovery and backup servers and the overload processing servers.
With all the information readily available for this particular pain point, I will not belabor it. But do look for a special installment on contracting with cloud vendors coming soon from guest expert Pedro Pavon, CIPP/US, of Oracle.
In all of these areas, your risk management processes are critical. Whether you offshore directly or your vendor does, get an end-to-end view of the offshoring in detail. Suspend your assumptions that come with dealing with vendors in your own country and never assume that something obvious to you is obvious to them.
Offshore Vendors
Offshoring work is a particularly challenging situation. As the business, you need to make sure you know if work will be offshored. Offshoring refers to the practice of outsourcing a process or activity to another country, typically manufacturing or support services. Offshoring is a big component of the challenges with cloud vendors, too.
With offshoring, you may want to take a risk-based approach. What information is being offshored, to where, via how? Some offshoring activities, such as implementing a new enterprise resource planning tool, may require a more detailed approach than other activities that are offshored.
Some of the biggest risks:
- Selecting the right vendor. Make sure to do detailed due diligence related to the risk of each specific offshore process. There are myriad legal reasons to do due diligence in other countries, such as the U.S. Foreign Corrupt Practices Act. Thus, while your due diligence may become quite complex, it fulfills various purposes.
- Scope creep. You may approve an offshore vendor for one activity and then the scope creeps with no one alerting your office. Be clear what activities were approved and when you need to be alerted for additional activities. If you have meaningful oversight in place, you should catch scope creep.
- Process/quality standards. Ensure the vendor can meet your standards. For privacy, this may involve some detailed U.S. or state privacy laws that people in other countries are simply not prepared to meet. Do they do background checks? Can they do background checks in that country? What do those consist of; when are they repeated, and do you want to see the results? Don’t just ask. Ask for proof. Trust, but verify.
- Breaches. Whether it is personal data or IP, the risk of a breach is exponentially increased. Make sure you have appropriate policies and oversight in place. Emphasize the controls and timelines required for breach avoidance and management. You can also put in place restrictions on the vendor's employees not working for competitors.
- Meaningful oversight. Do not just check a box and contract. Offshoring may require a more rigorous oversight process. As with the process and quality standards above, don’t just ask. Ask for proof. Trust, but verify. Be active in your oversight. You may need to send someone to assess the vendor in person before the contract is signed. Require external audits.
- Unrest in the country. Political and/or cultural unrest may mean trouble for your vendor and for you. Make sure your data is placed with a vendor in a stable environment.
- Laws/rules. Particularly for privacy, laws and rules vary greatly in other countries. Make sure you understand if your data now falls under different data protection requirements. If something should go wrong, do you have an avenue of action against this vendor?
- Import/export requirements. It seems overkill to add this one, but there are countries in which the U.S. has enacted trade embargoes. But also, there are countries that have prohibitions against importing of cryptographic tools, which impacts your employee visiting that country to physically review the offshore vendor’s policies in action. Your computer may be stopped at the border, e.g., China.
In all of these areas, your risk management processes are critical. Whether you offshore directly or your vendor does, get an end-to-end view of the offshoring in detail. Suspend your assumptions that come with dealing with vendors in your own country and never assume that something obvious to you is obvious to them.
Contract Management
As the last pain point, contract management is different thnt the three areas discussed above that deal with a type of vendor. Contract management is certainly a point of pain. And I don’t mean a system that stores your contracts. I mean a system that helps you manage the varying provisions of a contract.
For example, do you classify all vendors into a category for what information they handle? If a vendor handles information with high confidentiality requirements, like patient, student or credit card information, that vendor should perhaps have an annual review based on your risk profile and determinations.
If you added a mitigation to the contract, you should have a system that notifies you of due dates and criteria. If you do have a material requirement, ensure your business unit is prepared to lose that vendor if the vendor fails to meet the requirement by the due date.
Track your due diligence. This is a little beyond contract management, but when you assess a potential vendor, have a database that tracks your due diligence. This way, not only will you know why a vendor was not selected, but you will have a basis for review when the vendor arises again. Or scope creeps. Scope always creeps.
Vendor management is not a painless process, but some complicating factors, such as the ones discussed above, can be foreseen. An effective vendor management program manager does not wait to be surprised; he or she prepares for these in advance.