The board’s role in assessing vendor risk

And why it could be a riskier prospect for private companies

The evolving challenges in our world today create increased risk in many business relationships. The news is full of high-profile examples of vendor crisis situations causing reputational and financial damage to businesses and exposing personal data of customers. Boards need to ensure their view of enterprise risk management specifically includes the appropriate level of governance oversight into vendor risk.

While the concept of what defines a vendor is sometimes narrow, the reality is a vendor, from a risk management perspective, includes any outside-the-company relationship that may cause reputational harm or a significant business interruption. With this understanding, the definition of vendors is wide and may include joint ventures, law firms, affiliates, insurance brokers, strategic partnerships, distribution agents, fourth parties and other nontraditional suppliers.

The range of risks is also wide – and under COVID-19 it has further widened due to:

• Reactive and uncoordinated responses to vendor disruptions
• New risks from vendors because of work-from-home situations
• Technology providers unable to handle heightened demands
• Limited business continuity and disaster recovery reviews

Applying an appropriate level of vendor risk management (VRM) is essential in a crisis as well as under “normal” circumstances, and doing so requires a recognition of the challenges. Vendors are frequently trusted to execute critical business functions, sometimes relying on other vendors without the organization’s awareness. Vendor risks can be escalated through offshoring in the global economy, increased compliance requirements, geopolitical and social responsibility complexities and overwhelming technology demands. Additional pressure for many industries comes from increased regulatory scrutiny of vendor management.

While vendor management may be a specific area public companies cover in the status of their financial reporting of internal controls under Sarbanes-Oxley, in a looser control environment of private companies, VRM may be lower on the priority list. Internal audit functions are optional for private companies, which may also contribute to higher risk. Further, with many private company boards comprised of founders, family and non-independent insiders, risk factors could increase due to the absence of specific skillsets and lack of an independent mindset on the board.

Here are key points private boards focused on the oversight of vendor risk management should consider:

1. Be aware of common VRM challenges and ensure the enterprise risk function has them covered:

2. Ensure from an executive standpoint there is:

   • A compliance view - due to lower compliance requirements, rigorous vendor assessments are looked at as a cost vs. investment decision
   • A risk view - seeing the aggregate impact of vendor risks in critical business operations, including identifying risk concentrations in multiple business functions that could amplify overall risk
3. Ask if there is a robust and documented process for vendor relationship management, which would include:
   • How new and existing vendors are evaluated
   • How spend gets allocated
   • Who gets invited to a bid – both for approving vendor lists and ensuring due diligence in approving new vendors
4. Ideally, all companies would have a risk committee, which regularly evaluates the vendors and assigns levels of risk. But some private companies don’t have the financial wherewithal to support an internal risk committee. So, if a risk is identified and a company doesn’t have the internal resources to manage the particular risk state, consider hiring a third-party consulting firm to do it.
5. Establish a strong governance model with senior management awareness and executive support. Ensure the business’s risk-domain stakeholders drive accountability and outcomes and there is collaboration internally across first and second lines of defense.
6. Ensure a practical implementation plan is developed that delivers business value and that provides management support and guidance from a team of experts in risk domain, procurement and contracts and compliance.
7. Confirm a risk-based approach is taken in determining which third parties to evaluate -- for instance, focusing on third parties that access, store or process sensitive data.
8. Create efficiency through technology with governance, risk management, and compliance applications to manage third-party risk management workflows and reporting program requirements.
9. If the business is building a new vendor-risk management process, inquire if the management team is leveraging already produced models and processes, such as vendor inventories, risk models and taxonomies defined by enterprise/operational risk management, control frameworks, and issue management tools.

10. While all companies are facing new and different risks under COVID-19, there are a variety of risks such as geopolitical, social movements and natural disasters which might impact a vendor’s ability to fulfill its obligations. The board’s oversight of the risk function, especially for private companies where the risks may be greater due to less regulatory mandated oversight, is especially important to make sure all bases of the risk profile are covered.