As we discussed in the previous blog post around planning, understanding your project needs, and the third-party vendor requirements, in advance, is the first and important step towards success of selecting a vendor. The second step in our third party vendor management life cycle is due diligence. This step determines how we evaluate the bids, the vendors’ qualifications and ultimately select the vendor.
An important step in this process is to understand the types of risk your organization can encounter with this product or service i.e. transactional/operational, financial, credit, reputational, strategic, compliance, legal or pricing risk. Following identification of the possible risk then you must determine how they are mitigated as well as the importance of each to your organization.
If the arrangement were to go poorly –
- What will the impact be on the organization’s business strategy?
- What could the impact be on the organization’s reputation?
- What could the impact be on the organization’s operational risk?
To protect your organization it is important to have the appropriate controls in place such as:
- Following the RFP/RFI process, the bid evaluation allows the team to compare the vendors based on the provided information. Ideally, this will help reduce the pool of possible vendors. Once those vendors have been selected demos, if applicable, can be scheduled to further understand the offerings. Alternatively follow-up questions will take place.
- Following or instituting a systems development and acquisitions policy will help control material purchases. Setting buying parameters, whether by type, dollar levels or area will reduce risk and often help control spending. Often an IT Committee is responsible for overseeing IT related purchases to confirm they comply with the network and security requirements of an organization. This is a great way to also confirm the vendor has been appropriately vetted. Preferred vendor listings are also used to reduce the number of vendors, often decrease costs due to discounts and reduce the number of vendors that require risk assessments.
- Beyond the specific product/service needs developed in the Planning stage standard vendor questions should be reviewed as well to complete your due diligence, prior to selecting the vendor.
- How well does the Third-Party address our requirements?
- How does the Third-Party solution mitigate our risk?
- How secure is the Third-Party? BCP/DR?
- What is the Third-Party record with Customer Service?
- Are contract terms fair?
- Is the vendor’s management team tenured, financially state and do they have a good Strategy & Reputation?
- Do they have appropriate Internal security & controls, Legal & regulatory compliance, Insurance coverage?
Confirming the vendor will meet your needs and will be a safe and secure partner will bring comfort to the organization and helps establish the overall relationship. In the next blog post of this series, we will discuss the contracting process. To learn more about how RSM can assist you with your other business needs, contact RSM’s management consulting professionals at 800.274.3978 or email us.