Tips and Tricks for CCOs: Vendor Risk Managemnet

Tips and Tricks for Chief Compliance Officers: Vendor Risk Management

As we look ahead to 2021, a key challenge CCOs will continue to face is adapting to the demands of remote working, which is likely to become the new normal for the vast majority of operations. This is why many are starting to anticipate risk not just from within, but from outside the organization. According to our latest survey, 41% of firms will be adding vendor risk management to their compliance program, more than any other initiative. This is surely a sign that remote working is prioritizing concerns that once may have been on the periphery, particularly as it relates to cybersecurity and business continuity. It’s also a sign that in the absence of face-to-face interaction at the office, compliance teams are committed to ensuring that risk mitigation doesn’t fall through the cracks.

In a remote work environment, clear communication around vendor onboarding goals is crucial. Below are three tips to ensure that your firm establishes a successful Know Your Vendor program in 2021 and beyond.

Tip #1: Put Compliance at the Center

Vendor onboarding can be a huge pain point for compliance teams. A lot of this is because in some firms, vendor management is owned by other teams like IT. With so much back and forth emailing between IT, Legal, and Finance, it’s important to have everything documented and centralized. Whether you decide to hire a person to do this, or deploy another technology platform, establishing a formalized process to achieve integration during procurement, and putting Compliance at the center of this process, is crucial.  

Tip #2: Take Advantage of Working Groups

At our recent roundtable webinar, John McGuinness, CCO at The StepStone Group, explained the importance of establishing a working group to generate ideas for best vendor risk management practices. While those on the deal team or legal have traditionally taken advantage of this, according to McGuinness, compliance professionals can benefit from working groups where insights are shared. “Sometimes, the informal conversations among people doing what you do give you the best ideas,” he said.

Tip #3: Prioritize Cybersecurity

In today’s remote work environment, cybersecurity is more critical than ever. The last thing you’ll want is mismanaged data that leaves your firm vulnerable. When considering vendors, you should ensure they have a formalized cybersecurity policy in place, including SOC 2 certification. In addition, vulnerability assessments and penetration testing should be conducted regularly and made available, and if you’re working with a cloud service provider, application penetration testing should similarly be conducted. While it’s not a requirement that third-party vendors follow the above standards, it should be a factor before you make the decision to onboard a vendor, and many experts believe that cybersecurity due diligence should be requested yearly so that vendors treat it as a priority.

When compliance is part of the vendor onboarding process, consequences resulting from risky vendors can be mitigated. As you plan for 2021 and add Know Your Vendor to your compliance program, the above best practices can help guide you in the right direction.

Request a demo of ComplySci to learn how to maintain compliance in a remote work environment.