As discussed in the previous blog post, contracts are the formalization of the relationship. Ongoing monitoring is confirming the vendor is conforming to the agreement while the contract determines how your organization will interact with the third party vendor.
Almost every week there are reports of breeches and failures often involving a third party vendor. We wonder, if we are following the process, and vetting our vendors how does that happen?
Third party management programs often fall short in preventing or detecting contract compliance because:
- Contracts are not centrally located and tracked
- Employees may not have the underlying contract and/or all corresponding amendments
- Intimate knowledge of third-party existence and activities are limited to comparatively few employees
- Nuances between similar agreements with other third-parties are not understood
- Clear ownership for monitoring activities does not exist and the monitoring activities are ad-hoc and manual
- Lack of formal process to assess changes in the third-parties organization
- Notifications of non-compliance are not identified as the issues arise
So, if we know the issues how do we fix them?
An easy example, the service level agreement states, we promise to have x% up time or provide x% accuracy so:
- Who in your organization contacts the vendors?
- Are multiple locations having an issue or just one? Is the issue our’s or their’s?
- Is it recorded anywhere?
- How do we know if they are meeting the agreement if we don’t know who all is contacting them?
Oftentimes, simply assigning a vendor owner will help create the control point. They can often answer user’s questions, track the questions, response time, downtime, report to IT committee and be instrumental in renewal processes. The “owner,” often becomes aware of changes with the vendor, upgrades, R&D and becomes the point person for ongoing risk analysis.
If there are ongoing issues that can’t be resolved, termination may be inevitable, and is the last phase in the third party relationship management lifecycle. Termination may happen due to the natural completion, a breach, merger/acquisition, assignment or third-party goes out of business.
When contemplating the end of the relationship risk considerations remain: confidential data, reputational risk, disruption of operations and monetary considerations. Effective vendor management plans will help to offset these risks. Clearly defining the termination parameters and responsibilities in the contracting phase will now assist with the relationship in conjunction with your internal transition plan.
Third party relationship management is an ongoing cycle that continues throughout the life of your vendor and your organization. Developing your plan to clearly define your needs, conducting due diligence to evaluate and qualify vendors, having contracts that protect your organization and ongoing monitoring and termination will reduce the risk to your organization. To learn more about how RSM can assist you with your other business needs, contact RSM’s management consulting professionals at 800.274.3978 or email us