Soon after NASA launched the Hubble Space Telescope into Earth’s orbit in 1990, scientists discovered, to their dismay, that the telescope’s primary mirror was flawed. The mirror, built to exacting specifications by an outside contractor, was ground 1/450 millimeters too flat, drastically reducing Hubble’s usefulness and the quality of its images. The Hubble project, which had long since gone over budget, was panned as a debacle, and NASA’s reputation was associated with wastefulness and incompetence. Although the telescope would eventually be repaired and its images changed astronomers’ understanding of the universe, the fix cost NASA hundreds of millions of dollars.
The primary mirror was supplied by diagnostics and industrial giant Perkin-Elmer. Today, however, those who recall the name of the mirror’s manufacturer are probably limited to fans of space exploration, experts in 1990s trivia, or perhaps vendor risk management enthusiasts. The fiasco is usually attributed to NASA itself. This should serve as a reminder to organizations and their risk management teams that when they outsource, they are still ultimately responsible for the overall quality of the end product. That is why a vendor risk management framework is so important.
You don’t need to look all the way back to the 1990s, however, for a reminder of the importance of vendor risk management. Just this February, airlines in the United States, South Korea, and Japan grounded dozens of Boeing 777 aircraft after one of the jets’ engines (manufactured by Pratt & Whitney) malfunctioned, causing it to drop debris over Denver, before making an emergency landing. Several homes were damaged by falling debris, flights were altered or canceled, and subsequently, the Federal Aviation Administration announced that it would be ramping up inspections of Boeing 777s that use the Pratt & Whitney 4000 engines.
For any organization that utilizes vendors—including suppliers, business partners and other third parties—in the production or delivery of its products and services, a vendor risk management framework is a critical tool for reducing the likelihood that a vendor issue could result in catastrophic financial, legal, or reputational damage.
Taking a Systematic Approach
Having a set of policies that governs interactions between the company and its external vendors is a vital control and so is auditing for compliance against those policies. But, that does not amount to a vendor risk management program, which considers the risks of all third-party relationships, individually and collectively, in terms of their potential impact on the enterprise. A vendor risk management framework is a systematic and holistic approach for assessing ongoing and changing risk and providing assurance that risk related to vendors and suppliers is being properly managed.
A systematic approach is particularly important for large organizations, which often have extensive and complex networks of vendors that each play a role in making the business run. At large companies, individual business areas may be entering into vendor relationships independently of one another. Therefore, without a systematic framework, comprehensive data may not be accessible to the organization to provide an accurate representation of overall vendor interactions and their associated risk.
On the other hand, there is a greater likelihood of entering into less formal and clearly defined third-party relationships at smaller companies without the resources for the level of vetting and due diligence that robust legal, security, and internal audit functions can provide. For this reason, a prescribed vendor risk management framework is a good tool for just about any organization that uses vendors.
In addition to keeping tabs on a complex vendor network, a risk management framework is also important for ensuring that policies are responsive to quickly changing marketplace conditions. In the midst of COVID-19, for example, organizations have been forced to adapt their vendor management policies quickly in response to constraints brought on by the pandemic. Regulations, meanwhile, generally change at a pace that lags behind real-time changes in the marketplace. So, even strict regulatory compliance is not necessarily sufficient to ensure well-managed vendor risk, notes Stephen Boyer in his 2019 article, “Debunking Common Misconceptions about Third-Party Risk Management.” A framework that incorporates surveillance of the marketplace and emerging risk is critical to successful vendor risk management.
Communication is another key component of any vendor risk management framework and is another aspect that distinguishes it from simply a set of policies. Vendor risk management is the responsibility of everyone in the company, even if they don’t deal directly with vendors and suppliers as part of their typical job activities. Therefore, a good vendor risk management program addresses the need for all employees to be educated when it comes to aspects such as the use of approved vendors, ethics around bidding, negotiations, gifts, bribes, confidentiality as it relates to sharing or providing access to company assets, and other elements.
Another advantage of vendor risk management frameworks is they are an effective way of communicating to outside parties a clear, concise, and consistent message of what the company’s policies, activities, and expectations are around quality, security, and transparency. That message isn’t just important to communicate to vendors, but also to regulators. A good framework also facilitates communication to management and the board on the need to invest in tools, technology and processes that are required for effective vendor risk management, as Deloitte emphasizes in a 2016 report, “Third Party Governance and Risk Management: The Threats Are Real.”
There is no one-size-fits-all framework that works best for all organizations. Industry, company size, number of vendor relationships, and regulatory environment will all impact the selection of a framework. It is also important to tailor the framework to the needs of the individual company. There are, though, some key elements and considerations that should go into any effective vendor risk management framework, and those considerations translate into questions that internal auditors and risk management professionals should be asking of their organizations.
Key Considerations When Adopting a Framework
Policies, naturally, are a critical aspect of any vendor risk management framework, as they set the rules for engaging, monitoring, evaluating, and disengaging from vendors. In addition to the creation of policies, however, the following are some critical components to an effective vendor risk management framework.
Vendor Inventory and Data: A vendor risk management framework should provide for a repository of information that includes an inventory of all vendors that the company utilizes and information relevant to their monitoring, with the aim of being comprehensive and regularly updated.
Compliance and Vendor Monitoring: According to research published in 2020 by Refinitiv, 60 percent of global third-party relationship, risk management, and compliance professionals surveyed said they were not fully monitoring third parties for ongoing risks. A similar number (63 percent) pointed to competitive pressures, greater globalization, and increasingly complex supply chains as drivers spurring organizations to take greater regulatory risks to win new business.
Within the framework, there must be audit and monitoring activities for ensuring compliance at multiple levels. This includes, of course, auditing of vendors to ensure their products, processes, and operations meet government and industry regulations, as well as deliver the level of service agreed upon contractually. This also includes auditing internal behaviors—such as bidding, onboarding, and off-boarding—to ensure they comply with the organization’s stated policies and procedures.
Ongoing Risk Assessment: In addition to compliance monitoring, an effective vendor risk management program must include proactive assessment of emerging risk. For example, an overseas supplier’s business practices may be compliant to local regulations, but still pose a reputational threat to the organization. Similarly, a service provider’s data-privacy protocols may meet accepted best practices, but remain exposed to new security threats.
The vendor risk management framework must provide for activities that enable the organization to stay ahead of emerging vendor risk. Further, as monitoring and risk assessment activities yield recommendations, internal audit should be looking to determine if these recommendations are being acted upon to address vendor risk.
Leadership and Ownership: As noted, multiple business areas (and by extension all employees) share responsibility for managing the risk that vendors post to the organization. That does not mean, however, that there should not be specific individuals who are accountable for vendor risk. Consideration of a vendor risk management framework should include whether it identifies these individuals.
Communication: Assessment of a vendor risk management framework should consider whether there is an ongoing communications aspect that is educating employees, vendors, prospective vendors, regulators, external auditors, the board, and other stakeholders about the company’s vendor requirements, expectations, and assurance activities.
Currency and Suitability: Risks facing the organization related to vendor relationships change over time, and so the framework for managing them should be adaptable as well. When considering the suitability of the vendor risk management framework, it may be beneficial to ask questions such as:
- Have relevant regulatory requirements changed?
- Based on marketplace conditions, should we increase or decrease the frequency with which we review and update our own vendor policies?
- Have we increased or decreased our reliance on vendors?
- Can our monitoring, assurance, and audit resources support the existing framework?
- Is the framework still aligned to our business model, strategic objectives, and core values?
Vision for the Future
Concerns about vendor and supplier risk moved to the forefront in 2020 due to COVID-19, and companies are still feeling the disruptive effects of the pandemic on their vendors as they relate to areas such as materials availability, transportation, workplace safety, quality assurance, transparency, and more, and likely will for some time. It’s true, too, that the next disruptive event is likely lurking just around the corner. Deep and complex vendor networks require a disciplined and systematic approach to management that looks beyond compliance to emerging risk, and risk management frameworks are built to guide organizations in that approach.
Neglect vendor risk management or fail to adopt an appropriate framework, and you just might end up looking through a telescope with a defective lens. 
Mercedes Washington, CISA, CFE, is a staff auditor at The Nielsen Company. Her primary role is supporting external industry standards audits around IT general controls for the software platforms that power Nielsen’s global media measurement business.