As the end of the year approaches, we reflect on 2022 as we prepare for 2023. From a vendor management perspective, 2022 has been both a continuation and expansion of the risks and the challenges that radically changed “business-as-usual” worldwide in 2020.
Vendor Management Lessons Learned in 2022
Here are some of the biggest lessons we learned this year:
- Cybersecurity should remain a top priority. The increase and diversification of cyberattacks and exploits have been seen in virtually every sector. Frequently monitoring your third parties for changes to their cybersecurity posture is key.
- Vendors must have adequate business continuity plans. The long tail effects of the pandemic will be seen in supply chains for years to come. Third parties critical to your organization must be scrutinized thoroughly and have the evidence to prove their business continuity plans are sufficient to support your organization even under the most challenging circumstances.
- Monitoring your vendors’ financial health is crucial. The economic pressure on organizations of all sizes has been felt on a global scale. While we can hope for the best outcomes, it’s important to keep the financial health of your third-party vendors well in your sights. Risk monitoring and alert services can provide much-needed visibility between annual risk reviews.
- Consider the value of outsourced vendor risk management. Understaffed vendor management programs have always been an issue. It is a good idea to outsource vendor risk management tasks, including due diligence, to supplement any capacity gaps (employees or expertise).
5 Tips for Vendor Management in 2023
Now that we’ve covered some of the most important lessons learned, it’s important to know the next steps. Here are some ideas to convert into action for new or emerging third-party risks in 2023:
- Partner with your information security team to review and update your existing third-party due diligence questionnaires. It’s important to ensure they reflect the current cyber risk environment and include a strategy to address significant cybersecurity changes or emerging threats that require specific third-party action or response outside of the annual risk review.
- Make sure your annual risk reviews are current, and yes, prioritize critical third parties. If you have any lapsed or late reviews, consider outsourcing due diligence document collection and review to external vendor management service firms. In many cases, this is more cost-effective than adding staff and usually results in a shorter turnaround time than when using internal resources.
- Pay special attention to your third parties’ business continuity and resiliency planning. Testing of the plan is essential. The third party should be expected to disclose any issues or gaps identified during testing and provide their remediation plan to close the gap.
- Review your third-party insurance requirements, making sure that cyber insurance is a separate policy from general liability. Work with your legal team to review or update required policy types and coverage amounts. Also confirm that those requirements are included in your organization’s third-party contracts.
- Subscribe to risk alert and monitoring services. It’s a simple way to improve continuous third-party risk monitoring and makes it easier to spot declining financial performance.
Looking back to late 2019, most of us couldn’t have imagined what the next two years would have in store. Here we are closing out 2022, still managing many of the same third-party risks we had pre-pandemic. As 2023 approaches, it’s good to remember that preparation, information and teamwork are the ingredients for any successful vendor risk management program. We help clients successfully navigate complex vendor negotiations by providing analysis, strategy development, procurement support and competitive market insight into unit pricing, licensing structures, term concessions, total cost of ownership (TCO) modeling and negotiation precedence that serve as valuable leverage in the contract negotiation process. Contact us today!