9 Vendor Compliance Questions Your Company Should Be Asking
By : Alia Luria
Vendor partnerships are the lifeline to innovation for enterprise. Whether it’s bringing in fresh, third-party technology that will provide a strategic competitive advantage, or outsourcing routine tasks so that talent can focus on key objectives—vendor partnerships are crucial. But today’s complex compliance environment is getting in the way.
Here are 9 compliance management questions for your company to consider when collaborating with vendors.
1. Are you in a regulated industry?
To be in a regulated industry means that your business is controlled by government rules. Operating in a regulated industry makes innovation more challenging, but it doesn’t mean your organization can’t find opportunities to innovate while still embracing the fact that your business is regulated.
Your highly regulated organization can drive innovation by building a culture of collaboration between your internal staff, customer, and any vendors. Open communication and transparency not only smooth the compliance process, but it creates another opportunity to show your customers that service matters to your organization.
Finally, embracing the change that comes with being in a regulated industry by implementing an innovative, technological solution will help your organization stay ahead and open and allow you to drive innovation in the parts of your business that aren’t regulated.
2. Is data involved?
If you intend to share data, you want to ensure that the data is safe on third-party networks and that those to whom you grant access conduct themselves in compliance with your standards.
Take the following steps to ensure that you and your vendors have open and transparent communication about the data involved, the expectations for its security, and the plan of action if anything goes sideways:
Before you open the vault, make sure you understand what types of data you have, what the value of it is, where it’s stored, and whether a vendor needs access.
Give vendors a readily accessible, written set of security expectations for your data that align with your regulatory requirements. Base the requirements on communication between the parties regarding what will actually be shared and what needs to be secured in what ways.
Make sure that vendors are aware of your organization’s written incident response plan and that they have their own plans for timely notifying you of a data breach involving customer data.
Share Only the Minimum
As good business hygiene, make sure that you only share information that’s required by the vendor. Sharing additional information only adds risk.
Continuous monitoring of vendors and contractors regarding cybersecurity practices helps you keep an eye on what is happening with data. Employ a collaborative compliance tool that allows you to push updates and notifications to vendors, but also consider monitoring software which gives you a greater into the systems of your vendors.
Although the law may only require adequate safeguards, be specific in your expectation as it relates to your data. Your vendors may define “adequately” different than you do or than your regulators do.
Assessing vendors for their practices before sharing data saves a lot of headaches if they are not and cannot make become compliant enough to work with you. Establish a collaborative environment with vendors and maintain open communication so this process goes smoothly!
Not every vendor employee or contractor needs access to your data. Make privileged information available to select individuals who need access for good reason.
Don’t allow access to your sensitive data from unapproved devices, only from work-approved computers or devices. Check mobile device management plans for access limits and controls.
3. Are there other standards you want your vendors to meet?
Not every vendor requirement your business may have is driven by regulations. Your internal business practices, corporate culture, and specific methodology may drive some of your vendor requirements. This could include a Corporate Social Responsibility Policy or a Vendor Code of Conduct.
You may have certain baseline diligence requirements on top of formal policies that you use for screening vendors to determine whether you want to work with them, such as length of business history, capacity, etc
Communicating with your vendor in advance as to these additional responsibilities can offset snags in the contracting process.
4. What is your potential exposure if a vendor doesn’t meet your compliance requirements?
Part of understanding your risk and knowing what you are controlling for means understanding the exposure associated with a particular vendor relationship. Your business won’t have the same types of exposure from a lawn care vendor as it will from your payment card processing vendor. Not all vendor relationships fit so clearly into one bucket or the other, however.
Understanding the universe of exposure for your agreement can help you communicate the compliance expectations as well as the liability mitigation strategy openly and transparently in a way that helps you and your vendors get to contract more quickly.
Collaborating helps you right size your compliance efforts for each contract, minimizing the time you and your vendors spend negotiating compliance points that may not have any practical impact on your exposure.
5. Who are the stakeholders in your business, and what do they need from the vendor?
Understanding the business purpose of the agreement can often serve as a means to elucidate the context for any compliance requirements that may come into play.
If there is data being shared, understanding who the stakeholders are can make sure that the proper persons are involved in deciding what data or other requirements are required as part of the relationship.
6. What are the points where the vendor connects to your organization, including systems and people?
Knowing where the vendor’s product or service will touch your organization can inform not only the stakeholders involved, the business purpose, and what data might be present, but it can provide a functional basis for determining the best type, timing, and persons involved in collaboration and communication regarding the contract administration.
Understanding this before you begin the contracting process can help focus your teams towards productive interactions quickly.
7. What systems is the vendor impacting?
Along with stakeholders and connection points, knowing what internal systems are impacted, whether external system access is required, and whether integration is available or required for the service determines whether you will need a system integrator to work with you as part of the process.
Some thoughts to consider with respect to system integrators. It may be worth it for your organization to engage a system integrator. They may have resources and experience that the vendor lacks with respect to systems similar to yours. They may also be able to assist your sales process if engaged early enough. They can recommend specific services based on your organization’s needs, not just based on what the vendor has available for sale.
Also, look for an integrator that is as neutral as possible and does not have a history of competing against the vendor. This will allow a more collaborative process and establish trust between the integrator and the vendor, resulting in a positive benefit for the organization.
8. What types of documentation will you expect from your vendors?
As part of your compliance requirements internally, you should consider what documentation you will need from vendors to substantiate their compliance under standards relevant to your organization.
Will you need evidence of policies and procedures? Will you need certifications? Preparing your diligence in advance of beginning the qualification process can streamline your communications and forestall back and forth on compliance requirements.
Additionally, if you will require your vendor to undergo routine audits to qualify and remain a vendor, requesting and prior audits early in the process may move things along more quickly and collaboratively.
9. How frequently will you need to monitor your vendors to ensure continued compliance?
A lot of emphasis is placed on the initial qualification process, but it is equally important to continue to monitor your vendors’ compliance status in relation to your relationship.
Regulations change frequently, as does the business and technology landscape in which your organization operates. All of these factors can contribute to your vendors falling out of compliance with both your organization’s regulatory requirements as well as its internal requirements.
A collaborative compliance approach ensures that communication about compliance continues after the initial execution and implementation of the agreement. Whether you are using tools to monitor the vendor’s IT environment or a collaborative compliance platform to ensure that regulatory updates are being included in the compliance audit trail of your vendor relationship, this ongoing monitoring and cyclical remediation (if necessary) keeps your organizations transparent and promotes trust.