Third Party Vendor Contract – Risk ManagementMitigating Risks and Increasing Efficiencies in the Contract Management Process

Goal and Objective• Assure outsourcing arrangements

align with Company’s strategic goals and direction and comply with regulations.

• Design and implement a system that mitigates risks, reduces costs and increases efficiency and profitability.

• Most companies use third party vendors for a variety of reasons from outsourcing key operations to janitorial services.

• An effective risk management process starts before the contract is executed and continues even after the contract term has ended or has been terminated:• Identify new or existing products or services involving a third party vendor • Meet with key stakeholders within the Company to identify the risk impact

of the new product or service on (i) customers, (ii) existing technological systems, (iii) staff operations, (iv) Company’s goals and strategic plans

• Conduct due diligence on the third party vendors (identify the scope of vendors who are engaged in this field, product, service; their experience; financial strength; security systems, etc.)

• Manage and audit performance throughout the term of the contract (and after termination or end if there are surviving terms: warranties, indemnities, guaranties, etc.)

• Identify risks, weaknesses, losses and incorporate “lessons learned” into process

Evaluating your Vendor• Does this vendor have access to, store, or otherwise transmit proprietary,

employee or customer (financial, private) data?

• Is the product or service material or essential to the operation of your business?

Categorizing vendors by criticality (tier or levels of security, materiality, dollar amount) can assist in determining

(i) which departments should be involved in the due diligence, evaluation and or approval of the product or service,

(ii) the amount of due diligence to be conducted,

(iii) the security requirements,

(iv) the oversight and assessment required during the performance of the contract.

Recommendations• Contract Management Team - identify internal team to advise on new or existing third party vendor &

their contracts• Information Technology (IT) department• Finance or Accounting department• Operational department• Security & Compliance department• Outside Counsel or internal Legal department

• Create a process and workflow that expedites due diligence, review and implementation of the third party vendor, its produce or service• SSAE16 Type II reports (SOC 1 or 2), Insurance (Employee, E&O, Computer Fraud, Liability,

Worker’s Compensation, Employer Liability, Cyber), Audited Financial Statements, Disaster Recovery Plan or Report of Business Resumption Plan (including tests performed and dates), Service Level Agreements (reporting requirements, quality standards, up-times, etc.), Monitoring and Reporting of Key Performance Indicators (KPIs)

• Create or utilize a form bank of terms and agreements that can be easily accessed for use in simplifying the drafting, review and or negotiation process

• Create or utilize a vendor database that tracks the due diligence and performance information for vendors (including security controls, claims, breaches or losses)

• Categorize existing third party vendors, new vendors, products or services based upon risk factors• Access to proprietary, employee or customer data• Material amount of contract or type of operational service or product • Reputational, financial, credit (PCI), litigation or other risks