Venus: The Internal Elements

Without your internal teams on board with an effective vendor-management program, your program—like the planet Venus—will burn and become toxic. But when it works correctly, your internal team can be the brightest spot in your program.

In this series, we are addressing elements of a successful vendor-management program. Last month, we looked at the reason to have a successful program. This week, we look at the crucial internal elements, which always start with a strong vendor-selection process. However, often companies confuse what should be simply the beginning of a process with the whole process, confusing the tree for the forest. Selection is just the first step, albeit an important one. Even before you talk of vendors, examine how the determination is made that something requires spend, be it people or technology.

Identifying Entry Points and Bottlenecks

Every department has the ability to spend money. For this element of the process we are focused on how vendors enter the system. There are many entry points, and it may feel overwhelming to control every one—which conceivably means controlling every employee. We all have had or will have the experience where we identify a mystery vendor that no one except the one person interacting with that vendor even realized was being used. This often happens with a negligible spend amount that an employee can expense under the radar or even for free.

A common mystery-vendor situation arises, for example, in the case where a survey-vendor offers free personal accounts. Employees may sign up for the vendor at no cost, own rights to this account and use it to survey a population. The complications of such an occurrence are staggering: trade secrets exposed without contractual corporate protection, potential PII breaches or alienated employees still using the account, with personal data like customer email addresses still available to them.

Thus, your entry points are every single employee, and there need to be clear, robust processes to address this.

Meanwhile, how do you monitor every entry point? You cannot. Therefore, you need to identify bottlenecks. These are easy to find: Listen for the complaints. Bottlenecks are the part of a process that get backed up, slow down the process or even bring it to a halt.

Common bottlenecks are purchasing, accounts payable, legal, regulatory and IT/info-sec.

But bottlenecks are your blessing in disguise. Get these departments and people on your team. Make sure they understand the problem, the need and the solution. If they work together, they can be your brightest spots to a successful vendor-management program. If they don't, your program will have challenges.

There is still the issue of rogue employees and mystery vendors, but with thorough education, a robust process, collaboration points and consistency, you can eliminate the majority of mystery vendors.

 Vendor Selection Process

Many organizations have a formal process for selecting vendors, including thresholds for seeking legal review or soliciting formal proposals. Much of this selection process will be covered in the next chapter on risk assessment, but we can highlight basic processes here.

For small spend in particular, the selection process may be incredibly simple. This does not mean the selection should be rubber-stamped. Even free vendors, as in the case of free survey-service accounts, should be appropriately reviewed for privacy risk, among others. In fact, some of the least expensive spends offer the greatest risks because, as mentioned previously, they may slip through the system so easily.

Establish the thresholds for approval for spend limits, legal contract review, vendor vetting for regulatory requirements and formal requests for proposals. Privacy review is a key element for establishing thresholds. Even if a contract does not require multiple approvals, competitive sourcing or legal review, it might still have privacy concerns. Services or product vendors that might not trigger thresholds or reviews but can certainly introduce privacy risks include free file-sharing services, USB drives, social media and backup apps for cell phones.

Your selection process needs to be clear that if any service or product is to be used, regardless of the amount of spend involved, a privacy review of some level must occur, even if the review is that there are no privacy concerns. Despite how simply these words flow, it is not an easy undertaking.

 Your Privacy Champions

Essentially, as mentioned above, every employee from executives down and out is on your extended team. Educate. Process. Review. Repeat.

Your bottleneck collaboration is your closely held team. These individuals should identify where a privacy review is needed. Our process for purchasing includes a vendor categorization for FDA purposes (critical supplier) and one for privacy (public, confidential or sensitive data). These forms are completed for every vendor that comes through purchasing. This is an educational process, as I—as global privacy officer—have to sign off on each one, but it also teaches the purchasing team why a vendor was categorized a certain way. This task could be delegated to a well-trained purchasing team with a process for monitoring.

Accounts payable is part of this team and should catch those vendors that are expensed rather than put through a purchasing-authorization process. This part is a little more of a challenge as the vendor has already been paid and the description may not set off alarm bells. Specific role-training for the accounts payable team is advised, along with using known examples. Understanding is key. Operating strictly on a list of orders without understanding the impact or rationale is a recipe for disaster.

Your immediate team is your privacy colleagues and could include affiliated colleagues such as legal or info-sec. These team members can alert you to potential issues and vendors, hopefully before the vendors are contracted. I find that having a simple privacy impact assessment goes a long way in reassuring colleagues of the thresholds that require action.

For example, marketing: Our running joke at Align is the threshold for involving the privacy office is whether the project or task involves nonpublic information on individuals; that is pretty much everything marketing does. So what is their threshold? We developed common scenarios to use as preapproved activities as long as certain steps are taken.

This process works for nearly all departments and all organizations. Organizations differ in the size of their risk appetite and ability to ingrain privacy in all nooks and corners. So develop your privacy champions. Individuals in all departments at all levels can be educated and tasked to be the privacy eyes and ears to make sure routine activities follow preordained paths and activities that push the envelope are evaluated and perhaps escalated.

Your internal team can be the brightest spot in your privacy program, when educated and utilized intelligently.

Look for chapter three in this series in the next edition of The Privacy Advisor.