Resources
WolfPAC > Resources > 5 Common Vendor Management Myths
Back to Resources

5 Common Vendor Management Myths

Author: Randy Marsicano


Originally published in 2016. Updated in December 2022

In my many visits and interactions with clients, prospects, competitors, and industry pundits, I hear things that get me thinking. Recently, some of these conversations have focused on common myths related to vendor management.

Regarding vendor management, the regulations are unambiguous in what is expected – at a high level. The devil is in the details, though. And at times, these very details overwhelm us and sometimes trip us over.

Here are 5 common myths related to vendor management:

Vendor management myths

1. You can’t start vendor monitoring until you complete your risk assessments

When it comes to vendor monitoring, no regulation states that you have to complete a risk assessment before you can start monitoring. So, risk assessment is an essential step in the vendor management process. You already must know your critical vendors. In addition, you understand what tasks and documents must be monitored regularly, at least for the high-risk vendors. Now, you may start watching these vendors before you complete your risk assessment.

2. You need to monitor all third-party relationships

In vendor relationship management, you don’t have to monitor all third-party relations. As a result, some simple tips on vendor management, in general, might be in order here.

  • List all of your vendors in a central place somewhere. This way,  you’ll have a complete list of all your third-party relationships.
  • Vendor management best practices suggest implementing a strong contract management process for your vendors.
    • At a minimum, you should have a contract management process for vendors with an auto-renewal clause.
      • This step will help prevent costly contracts from auto-renewing before an internal review.
  • Monitor the high and moderate-risk vendors and use the guidance and risk assessment results to determine which vendors make this prestigious list for your institution.
    • The monitoring tasks for each vendor will vary depending on the relevance of the vendor to your operations.

3. You need to monitor all third-party relationships every year

Not all vendors are to be monitored every year. Your risk assessment tool should provide guidance on the frequency of monitoring and the recommended tasks to monitor for the vendors based on the inherent risk ratings. Base your monitoring frequency on this. It will save you a bundle in time, at least.

4. All third-party relationships are to be risk assessed and monitored for all tasks

While it is true that I said you need to list all vendors in a central place, you don’t have to risk assess and monitor all of these vendors. The guidance is clear when it asks you to run your vendor relationship through the following lens.

Based on your responses to these qualifying (or selection) questions and the vendors’ impact on your operations, you identify those vendors that you will be risk assessing and monitoring. Again, depending on the inherent risk of a particular vendor, you will have a different frequency model for ongoing risk assessment and monitoring.

a. New vendor relationship or activities
b. Material financial effect on the organization
c. Performs critical functions
d. Stores accesses, transmits sensitive, customer information
e. Markets financial products or services
f. Performs subprime lending or card payment transactions
g. Increases risk to earnings or capital

5. Cleaners & contractors are GLBA vendors because they have access to the building

It depends. Just because a vendor has access to the building does not automatically mean they have access to client and employee confidential information. And therefore, it does not automatically translate to them being Gramm-Leach-Bliley Act (GLBA) classified as requiring detailed monitoring.

What is more relevant with this specific example is what other policies, procedures, and controls you have in your vendor management strategy to prevent a cleaner from having access to confidential information:

  • Do you have a clean desk policy? How do you enforce it?
  • Do you have periodic employee training on handling confidential data and disposal and destruction of confidential information (paper and electronic)?

And yet, in some instances, for some of you, your cleaner may qualify as a GLBA vendor!

Check Out WolfPAC’s Vendor Management Software Platform

Our platform enables you to develop a comprehensive Third-Party Risk Management program. We arm your organization with the ability to identify high-risk vendors and mitigate those risks.

By automating traditional risk analysis, due diligence, ongoing monitoring, and reporting, our software provides a complete view of your third-party relationship risks from vendors, suppliers, contractors, and other business partners. This new, unprecedented level of visibility, process automation, and data centralization creates significant value for customers by facilitating the following:

  • Significant expense reductions,
  • Improved vendor performance,
  • Successful regulatory exam results, and
  • Positive ROI on vendor relationships.

Understanding the value of third-party risk management is only the first step! Next, your organization must bring together the right people, processes, and technologies. Want to learn how we can help your company develop a comprehensive Third-Party Risk Management Program that stands up to the threats of today and tomorrow? Contact us today!

In addition to our legacy offering, we’ve also recently launched WolfPAC Essentials, a new risk management tool that allows lean organizations to build modern risk management programs in three core areas: (1) Vendor Management, (2) IT Risk Management, and (3) Business Continuity Management. Interested parties can start using the offering today for free.