Whilst supporting organisations in building their compliance programs, we’ve often found that they have failed to fully consider their vendors from a commercial, operational and legal and compliance standpoint. This means that in some cases they have unnecessarily increased their costs and exposed themselves to risks that should have been considered prior to appointing such vendors.
In light of this, we thought it would be helpful to share our top 10 commercial and operational points on what organisations should consider when they are appointing a new vendor:
What is the purpose and benefits of using the vendor?
Do we have any existing vendors that already offer the same or similar service?
Have the vendor’s services been compared to others in the market?
Is the vendor’s pricing competitive?
Are there any strategic risks from using the vendor (e.g., the impact of it failing to provide its services)?
Are there any financial risks in using the vendor (i.e., it is facing the prospect of financial difficulties and may not be able to fully provide its services)?
Are there any reputational risks with using the vendor such as it becoming the subject of negative public perception (due to unethical business practices, data breaches, loss of confidential information)?
Are there any operational risks with the vendor in respect of system, processes or people?
Are there any technology risks (whether hardware or software) with the vendor?
Are there any country risks that would impact the vendor’s ability to deliver services (such as political, economic or social factors in the country from which the vendor operates)?
When it comes to legal and compliance, organisations are advised to send a vendor due diligence questionnaire to their prospective vendor before signing any contractual documentation. Examples of 5 high-level questions that could be included in a vendor due diligence questionnaire are as follows:
Do you have the appropriate registrations, licences and authorisations?
Do you have an anti-bribery and corruption program in place (including policies, procedures and training)?
Do you have an anti-slavery and human trafficking compliance program in place (including a public statement, policies, procedures and training)?
Do you have a data protection program in place (including public privacy notices, internal privacy policies, procedures and training)?
What insurance have you taken out, if any? What is the level of such insurance?
If you would like any assistance in creating a policy for vendor management and/or a due diligence questionnaire, please contact Lindsay Healy, Puja Modha and Inga Kroener.
General Update by Lindsay Healy, Puja Modha and Inga Kroener, Partner at Aria Grace Law