Most companies hire vendors in the course of doing business. The vendor could be a supplier of goods, a service company, a technology provider, or a building contractor. Senior management and corporate boards justifiably have questions and concerns about how to protect against vendors’ actions that might produce a loss.
Examples that could happen to any organisation include the following: (1) a software vendor’s employee sabotages the hiring company’s records because of personal animus; (2) a vendor hired for window washing has an accident at the hiring company’s building, suffering a crash that injures the vendor’s employees and passersby; or (3) a vendor hired by a doctor to handle medical records leaves files on the train by accident, exposing patients’ confidential personal information.
If the vendor will not or cannot cover the cost of losses it creates, either through insurance or liquid assets, then the hiring company will be on the hook for these costs. Even if the hiring company has insurance that will cover the loss, it will likely have to pay a deductible, incur further expenses, and get a rate increase from its insurer at renewal. The financial hit often can be less costly than the reputational damage a company suffers as a result of a vendor’s mistakes or poor judgement.
As hiring companies focus on making sure they have protection against vendor risks, they should recognise what they can do well themselves and what they may have to hire experts to do for them. There are firms that review vendor credentials, including insurance coverage and other aspects of vendor status. Here are three methods to adopt for better vendor management:
Using of set criteria for each vendor category will enable the hiring company to narrow a large list of possible vendors to a handful. The final choice may be based on the weighting of the criteria, price, or another factor. Hiring companies can create criteria based on their experience, benchmarking with similar companies, or their best judgement. Some typical criteria include:
- Minimum number of years in operation: Is a vendor mature enough to have a track record?
- Minimum size (revenues or staff): Is it large enough to handle the assignment?
- Geographic presence: Are its locations where you need them to be, and are any in a location that might be subject to high risk?
- Satisfaction data (references, social media reputation, ratings by recognised accreditation services): Is the track record acceptable?
- Management structure: Is there sufficient accountability?
- Ownership: Is it reputable?
- Financial stability: Do the financials raise any red flags?
- Staff tenure: Is turnover a problem?
- Staff education/certification: Is the staff knowledgeable?
- Bonding: If staff needs to be bonded, what is the proof?
- Staff hiring protocol: Are workers adequately vetted?
For these criteria to be effective, they must be used without exception. That someone in the hiring company knows a particular vendor’s CEO or has used the vendor in the past should not preclude the need for the vendor to meet the criteria.
Vendors can make claims that aren’t true. Therefore, care should go into making sure that information provided by the vendor is verified. Even references by the vendors’ other clients should be treated carefully. Do these clients have ulterior motives for giving a good reference? Are there a sufficient number of references to be meaningful? Are the references consistent with the vendor’s general reputation, comments about the vendor on social media, or the vendor’s legal history?
When a hiring company chooses a vendor, there is an expectation that the vendor is properly covered by insurance for losses incurred by its acts. To ensure that such insurance coverage exists, the hiring company needs to review proof that the vendor has executed a proper hold-harmless agreement protecting the hiring company and has appropriate levels of insurance to cover losses it creates.
A commercial general liability policy, for example, will cover situations such as (1) the vendor damaging the hiring company’s or another’s property or (2) the vendor injuring the hiring company’s employee or another person while performing work on behalf of the hiring company. Such a policy is not intended to guarantee the vendor’s work. That type of coverage would come under a performance bond.
A thorough insurance review of the vendor should determine the following:
- The existence of insurance.
- The insurance policy’s expiration date.
- The identity and rating of the insurer.
- The coverage or types of policies the vendor has (commercial general liability, workers’ compensation, commercial auto, cyber, etc.).
- The insurance policies’ limits, deductibles, and exclusions.
- Whether the hiring company is insured on the policy.
Typically, vendors present the hiring company with a certificate of insurance (COI) to prove that they have insurance. However, looking at the vendor’s COI does not provide sufficient assurance that the vendor is maintaining its coverage, the hiring company has been added as an additional insured (if that is part of the agreement between the vendor and hiring company), or the policy is free of problematic exclusions.
A thorough insurance review includes looking at the actual policy and checking the status of coverage during the policy period. An insurance review is not a one-time exercise. Periodic checks must be performed to make sure the policy has not been cancelled by the vendor or insurer and that endorsements, which might alter the coverage from the initial terms and conditions, have not been enacted.
Firms provide this service for companies to ensure that this aspect of vendor management is done thoroughly and professionally.
It is not enough to assume that no news is good news when it comes to vendor performance. Hiring companies should institute formal performance evaluations for each vendor at least once a year if not more. Time frames can be selected based on the significance of or the budget associated with a vendor relationship. These evaluations are a way to ensure that expectations of the hiring company and vendor do not deviate too far or too long without being addressed.
The evaluation criteria should include, at the very least, performance against the following indicators:
- Service-level agreement standards or other agreed-upon standards.
- Ability to respond to changes or special requests.
This should not be an internal, secret document but rather a transparent gathering of performance data, resulting in an assessment and dialogue between the hiring company and the vendor.
It should become part of a larger record on the vendor, which includes historical and current information.
Donna Galer and Al Decker are authors of two books on enterprise risk management, including Enterprise Risk Management: Straight to the Value. Galer is a former insurance executive who works as a consultant. Decker is the former executive director of ERM at Electronic Data Systems in Plano, Texas, and now is a consultant providing ERM advisory services.