Vendor Management, the Key to Outsourcing Success
By Andrew Mathieson, Senior Accountant, Assurance Services
With the rising cost of building and maintaining an Information Technology (IT) environment, many entities are opting for outsourced services. However, cost effective as that can be, there are a multitude of risks adopted when outsourcing IT services. The gamble of mitigating these risks is cloaked in the ability to implement a robust vendor management program.
The Rewards & Risks of Outsourcing
For startups and small businesses, the lack of capital to purchase new hardware for infrastructure and the staff power needed to operate makes outsourcing even more alluring. According to Allora Consulting, setting up a low-budget network would cost a small business in the vicinity of $3,000 to $7,500 initial investment, and about $1,200 to $1,500 in annual maintenance. This reality can break the coffers of a business in its infancy stage. With limited resources, the daunting task of funding, and the growing pains that accompany the building of a startup or small company, outsourcing usually trumps on-premise ownership and management.
Though larger companies have the resources to facilitate the "on-prem" functions of a network, most are still opting for outsourcing. According to Grant Thornton International Business Report (IBR), the cost of industry regulation and compliance, coupled with the quest for efficiency and cost reduction, are the biggest driver for most companies considering outsourcing IT.
Of course, just like many operational functions of business, outsourcing IT has its joys and woes.
Joys like cost savings and overhead reduction are almost always the prevailing impulse in the frontal lobes of most CEOs when considering outsourcing. In the industry, many have voiced the comforts felt in using a third party provider because of the insurance it brings in the event a disruption of service occurs, and the alleviation of liability otherwise placed squarely on the business's shoulders. Entities benefit from the expertise and wealth of experience that comes with an outsourcing contract without the price tag of the market. It would cost most companies a handsome sum to have such capable talent on staff.
The woes of outsourcing, in many instances, act as the "voice of reason," a deterrent when entities are considering throwing the lifeblood of their companies - IT - to a third party. The first pang of concern is usually the loss of control for most companies. In many instances, third parties become indispensable as reliance upon their services are so enveloped in the success of the entity that they are unable to retake the reigns; not to mention the risks that comes with sharing intellectual property and proprietary data. In this day of cyber espionage, it is quite risky to allow unfettered access to your most prized possession: your data. Remaining viable in the marketplace is paramount to the growth and profitability of a business; losing the proverbial "keys to your universe" can certainly place an entity on the irrelevant list with one key stroke - the nightmare of most CEOs.
The Mission-Critical Need for Vendor Management
While outsourcing is scary and worrisome to many entities, in polar contrast, there are entities who vastly prefer the option of outsourcing and welcome the reduction in network operation cost it can bring. These savings are realized by not having to expend human and financial resources for IT services. Despite the worry or jubilee, both conditions can be settled by implementing a robust Vendor Management Program.
Since the genesis of managed and cloud services, Vendor Management has become a key component of essential business operations. A Vendor Management program is a must-have for all entities outsourcing part or all of their IT network function. In "Third-party Due Diligence," Former U.S. Department of Justice Fraud Section Deputy Chief Mark Mendelsohn, said, "Third-party due diligence must be robust, thorough, impeccably documented and preserved."
A profound and true statement that, if fully considered, can be a sentinel to all companies. If entities critically think about the security, longevity and expectations of their customers, the need for a vendor management program will become clear.
Entities employing third party services should develop written policies and procedures to establish protocols for business processes that provide a solid framework for operations. These policies and procedures should also provide the framework for ensuring that the entity operates in compliance with regulatory requirements and for the management to hold staff accountable for the entity's performance. A robust vendor management infrastructure should include keen management oversight and control of all third-party vendors, especially third parties providing managed IT services to an entity, as they create more risk.
For entities considering IT managed service providers, it is critical to establish a sound methodology to rate and identify the risk factor created by the third party. A risk-based approach creates efficiency and better efficacy in the vendor management process by requiring more diligence and effort be devoted to high-risk vendors such as IT managed services. During this process, consideration should be given to areas such as internet connectivity and security, physical access, network access, software development management, disaster recovery, termination provisions, data storage, training programs, and performance benchmarks. These key factors should be obtained from the third party and studied by management for criticality and risk.
A robust Vendor Management program should differentiate the diligence and documentation requirements among high-, moderate- and low-risk vendors. This risk-based approach plays an important role in efficiently allocating risk management resources where the higher risk exists, while still maintaining compliant oversight of low-risk vendors.
In evaluating vendor risks, entities should consider the following factors, and assessments should be performed using risk identifiers that are categorized as high, moderate or low:
- Does the vendor provide mission-critical services? Mission-critical functions can be classified as those without which the business would suffer a catastrophic impact, including injury or damage to customers. Third party vendors must be able to deliver mission-critical services according to specified performance standards.
- To safeguard the entity's compliance obligations, it might be critical to determine if the third party vendor provides or receives non-public information (NPI) as part of its service delivery to the company. If so, the vendor represents a higher level of risk, and the ranking should reflect that.
- It is critical to determine if the third party utilizes vendors or subcontractors and their involvement in their service offering; hence, the reason for critically assessing access as part of the due diligence check. Special focus should be placed on evaluating how a third party utilizes and monitors subcontractors. The third party service provider should be held responsible for the performance of any subcontractors they hire; defined controls should be in place to monitor the use of subcontractors.
- With detail, entities should clearly define a process by which they will obtain vendor information and supporting documentation to ensure the status of the third party with which they are about to enter into a contract.
To accomplish this, entities can develop a questionnaire to facilitate the process, assigning risk rankings to determine criticality. This may include the following:
- What measures does the third party employ to remain compliant and competitive with governing and industry standards?
- What controls are in place to govern the IT services offered to assure the integrity, security and delivery of the technology?
- Request, where applicable, the vendor’s SSAE 16 and/or SOC 2 reports and review the results.
- Obtain and review the third party’s service level contracts/agreements in their entirety.
- If the vendor provides a financial or hedging model, assess and test the efficacy of the model.
Given some of the afore-mentioned requirements, entities should establish a process to review and determine whether the information and documentation obtained meets their organization’s requirements before engaging in negotiations for service. The vendor management program must be more robust than merely collecting information, dutifully signing a contract, and filing it away.
Critical to the integrity of a vendor management program, entities should employ an annual review of the vendor management process, as well as the third party(ies) they’ve contracted to determine relevance and efficiency.
The longevity and success of entities employing third-party services is contingent on the diligence they put forth in the vetting process. An independent risk and gap assessment should be performed to measure internal controls in place. Internal controls should be in place to mitigate the same risk areas as the entity's contracted vendor. In many instances, user control parameters are not immediately followed, creating risks in optimum service from the provider. In order for the Vendor Management program to be successful, adherence to all user control considerations should be addressed.
Finally and critically, it is incumbent for business success that entities refuse to enter into contracts with third parties whose standards do not meet their Vendor Management Program specifications.
Though it's not the "end all" and "cover all" for every mitigating factor, implementing a Vendor Management Program will distill many of the risks that accompany outsourcing, and bring companies closer to a level of assurance that can offer the peace of mind sought in outsourcing, while still maintaining profitability.