In this, the third installment in this series on managing a quality vendor-management program, we look at risk management.

When a part of the business is outsourced, the business retains accountability. While you can delegate authority, you can't delegate responsibility. Risk management is critical and starts at the moment that a determination is made that something requires spend—be it people or technology.

Early Considerations: A Risk-Based Approach

There are stages to the life of a vendor with the end-goal, in many cases, to establish a long partnership. While most would start with performing due diligence on potential vendors, I recommend starting two steps before that.

What do I mean?

First, you need to know what accountability applies to the business and create a risk framework. Map this framework to your business activities. Some areas of this framework are easy to identify and map, and some are not. As a practical tip, it is nearly impossible to categorize all risk. But at the very least, identify the activities of your business that are regulated, build that framework and map those activities. You’ll find that many regulated activities have frameworks readily available online.

For the purpose of this series, we are focusing on risk that applies to personal data. Thus, you can easily find frameworks related to local, national or global data protection. (For example, from the FTC, from the U.S. Government and Accounting Office; from Nymity, from APEC, from the National Institute for Standards and Technology, or the Organisation for Economic Cooperation and Development.)

Next, have a decision-making process on what steps should be followed when contemplating using a vendor. The process can be centralized into one business unit that owns risk; it could be decentralized completely out to the departments that own the relationship and the risk, or it could be a hybrid. Many companies seem to use a hybrid model with a rules-based risk management approach. If the hybrid model is used, keep in mind what we discussed in the last installation of this series about how centralization of vendor management helps streamline resources.

Identify categories of data that require various levels of review if that data is being shared outside the business. These categories could be based on whose data is involved, e.g., employee, customer, patient, student, minors; where the data originated, e.g., country, U.S. state, another company, or whether the data is regulated or public. You may decide that any data within a certain database is all on one level of protection, or you may decide to be more granular and protect fields within the database.

Also consider the scope of the vendor’s authority, i.e., one-time widget supplier vs. becoming the company’s agent.

Using the risk-based approach, determine what and how much data is collected along with how many, who and what levels of personnel review the data. You should also evaluate the potential reputational impact a vendor can have on your business along with how the vendor fits into the overall strategic plan.

 Due Diligence

Once you have your framework and have done your data-mapping, determine what triggers due diligence and at which levels. Due diligence should be performed consistently and at a level that matches the risk.

Low-risk vendors—and this doesn't mean not low-cost; remember that free services may often be the riskiest—may rate a due diligence checklist that the departments can manage on an individual level. Determine if you want these to come to your department for record-keeping or if there is a hands-off directive with low risk. Do not forget that you will need to monitor the low-risk process to ensure it works properly.

Medium- to high-risk vendors will require a more active process. This process can still be delegated, but the amount of delegation, oversight and decision-making will all depend on the risk management process you adopt. The level of data depends on the level of risk. Determine what data needs to be collected and how that should occur. A simple due diligence may be satisfied by an online search for publicly available information such as public vendor information or policies, a basic questionnaire to the vendor and the terms/license agreement/contract. A more extensive collection might include online searches such as relationships, owner/executive histories, detailed questionnaires, interviews or submitted proposals per a detailed request.

Once data is collected, it should verified and reviewed. Using the risk-based approach, determine what and how much data is collected along with how many, who and what levels of personnel review the data.

You should also evaluate the potential reputational impact a vendor can have on your business along with how the vendor fits into the overall strategic plan. Educate employees on how to identify red flags and the importance of those red flags. Manage expectations upfront so when/if a vendor is found to be wholly unsuitable, the business owner is able to move to a second plan.

Decisions

Deciding on whether to use a vendor is just as important as deciding which vendor. Oftentimes, departments have one vendor in mind, and sometimes there really is only one vendor offering that widget or service. Or, individuals become invested in their proposed vendor. You may not be aware of the pain point that is driving the decision, but if the risk is determined to be high, who makes that call? If the choice is between various vendors, your input should be one of the factors that the decision-makers use.

If you determine the risk is too high on a particular vendor, how do you mitigate it?

If the business makes a decision with the risk identified, mitigation is required along with documentation. Some businesses prefer that risk not be documented, especially if that decision is made against the advice of counsel or compliance. I believe it should be documented to show how risk was balanced with the business need and, where possible, mitigated.

Mitigation can be included in contracts, but someone must then track the time frame and evaluate the results. Mitigation can be required before a contract is signed, which causes delays. Delays are never a problem, right? Business always brings us these decisions with plenty of time to do appropriate due diligence, vet competitors and implement mitigation. (Can you sense the sarcasm?)

Along with mitigation, there should be breakpoints. At what point is the decision made to not use the vendor and, again, who gets to make the call?

Ongoing Risk Management

Other than a one-time widget supplier, companies should work on building ongoing relationships with vendors. We discussed this a little in the first installment of this series.

Ongoing management is also risk-based. Many relationships are managed based on that relationship, and risk is not often a consideration. Vendors may merit periodic reviews, onsite visits, desktop audits, phone interviews, etc.—essentially the same as initial due diligence. With ongoing due diligence, pull the agreements and check performance and any mitigation that was placed in the contract.

Monitor the vendor and the risk. Initiate increased controls or review based on applicable new standards, laws or requirements. Monitor the risk-management process, especially if departments own due diligence and the decisions. Ensure there is a clear line of escalation.

Lastly, ensure that employees understand the significance of due diligence and enforcement of vendor behavior.

 In Conclusion: Two Practical Tips

  • Tools: Throughout this entire process, tools can be beneficial. There are tools for privacy impact assessments, risk frameworks, contract management, accountability and more. Not everyone can afford the latest, greatest and most robust tools. Do your due diligence on tools as well. I have never found a privacy office with unlimited resources, time to spare or where all risk is properly managed and monitored, so I believe firmly that there are tools, however simple they may be, that are helpful to us all. One of my favorite simple tools is fill-able PDF forms.
  • Real World: Keep in mind that we all operate in the real world. Take a practical approach to risk management. Your keen insight into the business process will make you invaluable to the departments while your knowledge and skills will keep the company out of trouble.

Tune in for the next installment: Mars: The Pain Points. The red planet serves a signal for danger, like consultants working onsite vs. offsite or outsourcing to vendors located in countries rife with corruption.