Evolving and increasing regulatory requirements. Growing vendor inventories. Heightened internal pressures to perform risk management functions. Shifting responsibility and accountability for the actions of vendors. These are only a handful of the challenges and considerations companies face when managing third-party risks. In light of the heightened scrutiny and responsibilities, many companies are shifting their focus to the centralization of vendor risk management and governance in vendor management organizations (VMOs). A VMO is an internal unit within an enterprise that is charged with evaluating third-party providers of goods and services, supervising day-to-day interactions and managing longer-term relationships.
Traditionally, companies have performed third-party oversight in segregated departmental sectors. Operating in these detached silos results in the inability to effectively enforce company policies and procedures established to mitigate third-party risk. In this way, silos lead to increased risks of non-compliance, human error, redundancies, and longer processing and turn-around time.
According to GRC20/20, “Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and failure.” By operating in these silos, business units are missing the impartial view brought by the vendor management unit, especially when those vendors’ services touch multiple business units and processes.
A centralized VMO establishes consistent, predictable outcomes for better compliance. In detached silos, risk management policies, processes and requirements are inconsistently enforced, greatly increasing risk exposure, because each department typically performs and follows its own risk management practices. Unlike this patchwork of processes followed for the same activity, a centralized VMO follows a single process, reducing risk exposure with standardized risk policies and procedures.
Despite the benefits and arguments for the unification of third-party risk management practices, there are always potential roadblocks. Two leading challenges are common when transitioning to a centralized VMO.
The first and most critical element to the success of any third-party risk management program, centralized or not, is the tone at the top. Support from senior management and the board is crucial as these executives drive company culture and determine and allocate value to company initiatives. According to a report from Shared Assessments, “A commitment to effective risk management demands effective engagement, communications and follow-through from the board level down and—also—from the organization itself to the board.” Without the full commitment and backing of the board and executive teams to dictate the program’s value, a newly created VMO is likely to fail before it ever has the opportunity to succeed.
The second obstacle in transitioning to a centralized VMO is pushback from the internal business units and stakeholders. Internal stakeholders are often resistant to organizational and process changes. Much of this resistance stems from the fear that the new vendor management organization and process will fail to understand and respond to the needs of the business units those vendors serve. According to a Gartner report on building proficient vendor management capability, “Stakeholders may view the VMO as ‘slow,’ ‘unresponsive’ and a bottleneck to vendor access. Failing to change these perceptions will be viewed as a roadblock to success.”
Whether a company is just developing a third-party risk program or is transitioning from a siloed approach to a centralized VMO, the onus is on the new VMO to drive efforts to unite the various stakeholders in relationships between vendors and business units, and to solidify a partnership. The VMO must adopt the mindset that the internal stakeholders and business units are now its most valued clients. To accomplish this, the VMO must continuously demonstrate its ability to listen, understand and respond to the needs of the business units. Without the cooperation of stakeholders, a VMO faces an arduous task ahead, as it is hard to imagine anyone would be eager to follow an entirely new methodology that greatly impacts their job when they had little to no influence on its development.
With Challenge Comes Opportunity
Creating a centralized third-party risk management program can break down silos, which fosters and encourages collaboration among departments, processes and people. VMOs must seize the opportunity to involve the stakeholders in the process of evaluating current vendors and processes. This collaboration should help to identify successful processes and vendors, and segregate those that will not be integrated into the new VMO. Stakeholders are a VMO’s best resource: No one knows or understands current vendors better than the business owner who has managed the vendor relationships.
The VMO exists to mitigate risk and protect the interests of the company. At the same time, it is essential that a VMO also serves the needs of the business units and management. Consider the business owners and units as equal partners in the development of new program processes and procedures.
You Are Only as Good as Your Processes
One common mistake comes from the enthusiastic client who believes the organization is ready to implement its vendor program within a software platform. When the time comes to conduct discovery and scoping, however, it turns out they do not have a well-documented vendor onboarding, due diligence or ongoing administration process. Not only does the organization lack documented processes, it also lacks the ability to articulate and sometimes even understand its actual processes.
Many then blame this frustration on the software, thinking it is “too complex.” Unfortunately, a software platform is not a band-aid for weak processes—there are no turnkey solutions. In the absence of strong processes, software is destined to be ineffective.
Implementing a governance, risk management and compliance or vendor risk management solution can help build a mature third-party risk management program, and may help simplify the onboarding, evaluation, due diligence, contract and ongoing administration processes. Keep in mind, however, that software is difficult to implement without well-understood and documented procedures and processes.
Beyond the Challenges
Challenges are an inherent part of any business development process, whether creating a new third-party risk management program or transitioning an existing siloed approach to a centralized structure. However, challenges are simply opportunities to improve interaction and cross-collaboration with those who have a stake and future influence in how the VMO operates.
Business owners and units are a VMO’s two best friends, as utilizing their wisdom can streamline and improve processes and third-party risk procedures. Creating partnerships between the business unit and the VMO will help solidify a successful and effective program. Ignoring stakeholders’ needs and knowledge, on the other hand, will only lead to potential adversarial relationships.
Take the time to fully understand and document your policies and procedures. A third-party risk management program will not be effective unless it is well documented and articulated.