Manage Vendors, Manage Risk

Organizations must mitigate risk by continuously managing vendor relationships.

In 2014, retailer Target suffered hundreds of millions of dollars of damage because of a cyberattack. For almost three weeks during the busiest shopping time of the year, approximately 40 million credit and debit card numbers were covertly collected by hacker-installed malware as shoppers spent at Target.

It all happened because an attack on one of Target’s heating and cooling contractors yielded Target network credentials. Target did not segment the contractor’s network access, so the hackers had the keys to the kingdom. This missing control allowed the malware to be installed, and the rest is history.

According to security firm Wiz, 82% of companies that give access to vendors give access to all their data. Additionally, 90% of those respondents have no idea what level of access they granted. Clearly, many companies are unaware of the risk they’re assuming with vendors.

What’s the moral of the story? Organizations must mitigate risk by continuously managing vendor relationships.

The Sparrow Advantage

What is vendor management?

A 2010 study by ESI International found 94% of businesses have an outsourced relationship, which was defined as hiring a third party to do something that could be done internally. Vendor management focuses on controlling the risk associated with hiring a third party as much as possible, so your organization is protected. A robust program includes:

  • Mission and charter
  • Scope
  • Defined roles and responsibilities
  • Maintained vendor inventory
  • Selection process
  • Annual evaluation
  • Contract criteria
  • Security review

While vendor management can be complex, it’s critical. As Target and others have shown, if you’re outsourcing any aspect of your business, managing vendors is managing your risk.

Setting up and sustaining your program

For small- and medium-sized businesses, the vendor management process needs to be straightforward and simple to maintain. Otherwise, it may not be viable. To accomplish that, consider the following framework:

Setup – Document the reason for the program and the structure. Also be sure to define the roles and responsibilities required.

Vendor inventory – Capture all existing vendors, document pertinent information, and keep the inventory current.

Vendor selection – Develop a standard to evaluate vendors before engaging their services.

Annual evaluation – Over time the nature of the relationship might change, and it is important to review vendor performance regularly. At a minimum, this should occur annually.

Contract criteria – Not all contracts are similar. Develop a standard to evaluate contracts prior to entering them, as well as yearly. This helps ensure the organization is protected.

Security review – While often overlooked, security reviews are critical because vendors clearly can be a major source of risk. Establish a review standard and continually evaluate it because threats evolve constantly.

Getting started

Vendor management is all-encompassing. That’s why the largest organizations in the world have entire teams dedicated to it.

At small- and medium-sized businesses, however, there could be no people working on vendor management and risk mitigation. If there are, they may be overwhelmed by the comprehensive, ongoing nature of the undertaking.

When it comes to your organization’s technology and security, you may be on the right track — you recognize that constant monitoring, testing, and updating of your organization’s defenses are critical — but technology is complex and evolving at a faster pace than most can keep up with. Join Rehmann for a complimentary cybersecurity webinar and panel discussion from 11 a.m. to 12 p.m. EDT Tuesday, Oct. 19. Learn more and register here.


Dean Transportation Hosts Oct. 20 Hiring Event

Dean Transportation is hosting a hiring event in Lansing on Wednesday, Oct. 20

Micro Market Opens in Downtown Lansing

A new incubator market is opening in Downtown Lansing.

Manage Vendors, Manage Risk

Organizations must mitigate risk by continuously managing vendor relationships.

The 27th Annual Lansing Entrepreneurial Awards

This year, we were excited to bring back a safe, in-person element for the 27th annual awards.

Households Losing Income Due to Day Care Issues

Outside of businesses taking financial hits, perhaps much of the angst in the earliest days of the coronavirus pandem…

Sign up for our newsletter!