By Todd Fitzgibbon
‘Tis the season when love is in the air. Unfortunately, when it comes to managing your third-party vendors, it’s not always flowers and candy hearts with sweet nothings printed on them. Yes, there is a right time to break up with a vendor you’ve been working with––even those who have been part of your roster for years. Breaking up is hard to do in these situations, and sometimes the hardest part is knowing when you should do it.
Cristiano Ronaldo’s tax evasion and assault accusations brought this issue into stark contrast for me recently. What do soccer (football to the rest of the world) and your third-party risk management have in common? In short, it’s about brand reputation. A big brand paying an athlete like Ronaldo to wear their gear or show up in a video game may be fine with him missing a free kick (or even 13 free kicks). But it’s a little different when there is another flesh-and-blood human being accusing that same star of some very heinous acts. As a sponsor, their brand is tied with their star athlete’s brand. When something goes very wrong with the relationship, they know when to end it.
In much the same way, the value of the brand and your reputation with your customers is closely tied with the third-party vendors you work with. While it may seem difficult to know when to cut ties, you can do it in a fairly systematic way.
Understanding and Measuring Your Risk Tolerance
The first step is understanding your tolerance and all of the risk factors that influence it. Before you’ll ever breakup, let alone start dating, you need to clearly understand what you like (or expect) and what you don’t. The factors that will be used to determine your risk tolerance by which established vendors are measured should be the same factors that help you decide during the selection process. Assessing, and rolling up, each of these components of risk created by a third-party vendor will allow you to score risk associated with each vendor. Set a threshold for the risk you’re able to tolerate, and flag any vendor that breaks the threshold. If they break it often enough or by more than a certain degree, then you know it’s time for “the talk.”
Of course, nothing is ever that simple, since your organization will care more about certain types of risk than others. The scoring of each type of risk equally is a fairly blunt way of understanding a vendor. Weighting it will make it granular enough to reflect all of those individual factors that play into it, and allow you to make decisions based on the nuances that are part of the aggregate risk score.
For example, you may be able to tolerate a slight hiccup in your supply chain introduced by a third-party vendor if you have an adequate continuity plan in place that mitigates the disruption to your customers. Perhaps that vendor has had a stellar record with you for a decade, and since this is the first instance of a problem, you weight it accordingly. However, you may not be as comfortable with a third-party vendor that opens your organization to a security breach, or doesn’t maintain the same ethical business practices that you do. As they say, you’re guilty by association, which means your brand is on the line too.
As with other areas of life, sometimes your criteria and what you require, or are willing to accept, will change over time and due to circumstance. Risk tolerance is not a ‘set-it and forget-it’ variable, just as your vendors are regularly evaluated, it too should be reevaluated on a regular basis. Relationships are complicated and you need to ensure your ability to measure is as dynamic.
Other Considerations: Influence and Continuity Planning
It should go without saying, but relationships are highly susceptible to influence beyond the involved parties. Regulation is the mother-in-law of vendor risk management, we may not like her but we have to deal with her. Emerging blanket regulations like GDPR and California Consumer Privacy Act (CCPA) join the long list of industry regulations that are having significant influence over third-party relationships. Your risk tolerance needs to take into consideration, and weight accordingly, the impact of any regulatory risk that impact your relationships.
Finally, before you pull the plug on any relationship, regardless of how toxic it is, you need to have a continuity plan documented with “B” and “C” vendors in place. While it may not be nice to jump to the next relationship immediately after breaking up in your personal life, in business it’s the only way to ensure that your organization will be able to move forward and thrive.
Hugs & Kisses!