Do’s and Don’ts of Vendor Selection

How do you select the vendors who will support your organization’s needs?  Do you bring on a company that was recommended to you by a buddy?  Do you pick a vendor from the list of Request for Proposal (RFP) respondents and simply “see how they do?”  Or do you follow an established vetting and onboarding process that takes risk, compliance and performance into account before even considering them?

Contracting with a vendor is not unlike hiring an employee.  With that in mind, consider the following before your selection process begins:

  • Develop a clear picture of your ideal vendor before you consider anyone for the role.
  • Ensure the vendor is qualified to do the job.
  • Verify that the vendor’s business practices won’t jeopardize your organization.
  • Only after a vendor passes your ‘background’ checks should you develop a contract that describes specifically the job that the vendor will be performing, and your expectations of the vendor.

This is all done with a robust vetting and onboarding process.

Planning and Risk Assessment Stage: Creating A Clear Picture

The process of bringing on a vendor starts well before an RFP is released.  Define the vendor’s specific objectives and assess the importance of the function to your company.  Analyze how the outsourced function and/or provider will meet your organization’s business needs and strategic objectives.  Review the risk to your organization: could the service have significant negative impact on your company financials if it were to become unavailable or unusable due to vendor closure, bankruptcy or insolvency, with no alternate vendor for the same service?

Risk rating is based on your company’s standards and policies.  In general, there are 3 ratings: Class A, B and C (some companies define these as High, Medium and Low Risk).

  • Class A (High Risk) – a vendor that collects, accesses, stores or processes Personally Identifiable Information (PII) (customer or employee), thereby representing a regulatory risk to you organization.
  • Class B (Medium Risk) – a vendor that has access to or use of proprietary company information, performs essential or critical operational services.  The replacement of this type of vendor would be a major disruption of your company’s operations.
  • Class C (Low Risk) – vendor does not have access to PII and whose products or services represent limited risk.  For example: janitorial service, electrician, etc.

However, there are still risks to consider with Class C providers.  If this service is performed during business hours, is there a risk that these contractors will see customer information on a computer screen or printed documents?  If this service is performed after business hours, do they have access to secure areas where files and paperwork may be found on desks?

Take care to consider all aspects of risk before proceeding to the next step.

Due Diligence Assessment Stage: Ensure Vendor is Compliant and Can Do the Job

As you interview vendors to fill the role you’ve defined, you’ll need to conduct a reasonable inquiry into a vendor’s ability to operationally meet the requirements for the proposed service.  Compliance should be reviewed before performance, and it is important not to make a decision solely on price.

The vendor selection process consists of an RFP, a questionnaire in which you gather the following data: licenses, bonds, insurance coverage, lawsuits, and financial status, policies & procedures before an eventual onsite audit.  An information security review of the System and Organization Controls (SOC), Business Continuity Plan, Confidential or NPI Data Access, to name a few, is required if the vendor is ranked as Class A level.

The intensity of due diligence required in selecting a vendor will depend on the results of the risk analysis completed in the first stage combining with a comprehensive assessment of this section.

Develop the Contract Stage

A strong contract with a vendor is essential to properly manage the relationship. Even relationships with vendors that provide low-risk services should be defined in simple form contracts.  All contracts should be in writing and cover every aspect of the business relationship, from scope of work and fees to termination of contract and everything in between.  This includes, but is not limited to,: licenses, insurance, expectations and responsibilities, type and frequency of reporting, a process for changing scope of work, ownership of work product, an acknowledgement that the vendor is subject to regulatory review, privacy and information security, data theft, ongoing monitoring, dispute resolution, and how the vendor will return your company and customer’s information.

Ongoing Monitoring and Oversight Stage

Ongoing monitoring is performed to ensure:

  • The services are in compliance with the contractual terms including performance, service level agreement and statement of work.
  • The identification and mitigation of potential regulatory and financial risk, as well as protecting your company’s reputation.

You should conduct onsite audit at least annually with Class A vendors and triennially with Class B vendors.

Planning and Risk Assessment, Due Diligence Assessment, Contract Development and Monitoring and Oversight – the completion of these four components will ensure you partner with the best vendors that understand your company’s strategies, goals and support your drive for success.