Locking Things Down In Vendor Relations

May 17, 2018       THE NONPROFIT TIMES      

Most nonprofits have a firm grasp on the quality of work being conducted by their staffs. A similar grasp on the work of those functioning on the organization’s behalf, such as vendors, might be a little more elusive.

During their presentation, “The Art (and Science) of Managing Risk with Third-Party Vendors,” at the Nonprofit Risk Summit in Philadelphia, Pa., Morgan Gomillion, contracts specialist at Health First Health Plans; Beverly Magda, associate provost of strategic partnerships at Harrisburg University of Science and Technology; Brian Nesgoda, senior vice president of Enterprise Risk Management and chief information security officer for Sikorsky Financial Credit Union; and, Tom Rogers, CEO of Vendor Centric discussed keys to managing the risk associated with third-party vendors.

Third-party horror stories including Equifax, Goodwill, and community colleges across the state of Washington have brought increased sensitivity to third-party issues, said Rogers. Increasing regulations and certifying bodies are also ramping up awareness. Specific tips discussed during the session included:

  • What to consider around vendor management: Vendor management is a relationship-management business, according to Gomillion. An attorney by background, Gomillion said that her focus has often been in contracting and identifying what various donor relationships will cover. Beyond that, however, there needs to be a sense of mutual needs, communication, and other factors that lean more toward relationship building than contract provisions.
  • Cyber risks and how to avoid them: Focus on controls as opposed to threats, Nesgoda suggested. Sikorsky became the first credit union to be tested for cyber security by the U.S. Department of Homeland Security in 2013. After that evaluation, the focus organizationally became focused on data, where it goes, and where it is stored. Vendors were categorized in four tiers based on the critical function of the data any one might handle, and Sikorsky leaders evaluated gaps and what reactions would be necessary if any one area went down.
  • Also don’t take vendors at their word. A company president once represented to Magda that the company was Payment Card Industry (PCI) compliant. A detailed questionnaire, however, revealed that it wasn’t and the contract was delayed. Be sure to ask detailed questions on how data is secured and request reports.
  • What is important to get right in contracting: Insurance, indemnification, data storage, and corporate compliance — giving the organization an opportunity to hear about potential issues first — are primary conditions to focus on, according to Gomillion. Magda recommended inserting right-to-terminate language that details how and under what timeframe data will be returned to the organization should a relationship go south.