The days of doing business with a handshake and a smile are long gone. However, one thing continues to remain constant—how few vendor contracts are updated, even if the scope of service changes. This can be detrimental to an organization, particularly if the vendor is handling sensitive data such as personally identifiable information (PII), protected health information (PHI), cardholder data (CHD), or confidential, intellectual property and strategic data (also known as CIPS).
Periodically reviewing—and appropriately updating—master services agreements ensures both parties are aware of the processes, data elements and where the data processing is being performed. In other words; contracts must be continuously reviewed and revised as scopes of work change. The best way (or at least, the cleanest way) to update the master services agreement is via addendums that are signed and dated by both parties.
Effective vendor risk management is in managing the details. A key consideration in developing a durable vendor contract also means identifying the success criteria for the vendor and includes:
- The business unit’s requirements for the vendor
- The technical requirements involved (e.g., data elements, IT components, connectivity)
- The vendor’s requirements for the customer
To ensure that all expectations (performance, compliance, regulatory, etc.) are met—and no one is blindsided—it is important for the organization to identify early and manage the following key vendor risk operational points:
- Coordination between sourcing and vendor management
- Vendor risk classification
- The monitoring of vendor performance
- Effective use of assessment results
- Responding to and managing vendor performance issues
But what do you do if the vendor is not living up to the agreed-upon expectations documented in the contract?
An exit strategy is a must when a vendor does not meet its contractual expectations. It is a prudent step for the organization to ensure that a backup plan exists to either redirect the work to an already existing vendor used by the organization or to find a new vendor (one that most likely went through the previous request for proposal [RFP] process).
In my upcoming session (#145—“Contracting for the Full Vendor Lifecycle”) at ISACA’s 2015 North America CACS taking place 16-18 March 2015 in Orlando, FL, I will discuss these and other challenges during the contract phase of the third-party relationship. Hope to see you there!
Tom Garrubba, CISA, CRISC, CIPT, CTPRP
Senior Director, The Santa Fe Group
Program Director for the Shared Assessments Program