Your vendors have promised a lot. More than just providing products and services, they’ve promised to keep your data safe and their systems backed up. They’ve promised to carry insurance and follow applicable laws and regulations.
While it’s obvious when a product or service is delivered—the lawn is cut or a new sign is delivered—it’s much harder to tell if a vendor is following policies and procedures and meeting the less visible obligations.
How do you know whether your vendors are actually doing what they say they are doing?
It comes down to three key types of vendor monitoring:
- Vendor reports
- Third-party reports
- Audit rights
Tracking a vendor’s every action would be onerous and negate the value of outsourcing. Just imagine having an employee monitoring a vendor’s software as a service (SaaS) 24 hours a day to ensure it hadn’t gone out. If there were an outage, that employee would have to investigate whether the vendor was down or if it was just an issue with the institution’s internet connection. It’s just not practical.
It makes a lot more sense to have the vendor monitor its own performance and provide reports. The vendor is in the best position to monitor its work and let you know if it’s meeting its obligations in areas like uptime, security, and vulnerability testing. Yes, you’ll have to count on the vendor to provide accurate information, but if you suspect the vendor is lying to you in its reports, you’ve got a much bigger problem—and an issue for the courts.
Third-party reports are information provided by organizations hired by your vendor. This includes internal/external audits and exams, SSAE 18s, insurance certificates, outside test results, notices from suppliers, and other documents. Process and/or work product identified issues (findings) may be a red flag of an expectation not being met through products and services by your vendor. These instances should be recorded as part of vendor monitoring and leveraged throughout the lifecycle of managing your vendor(s).
Reports from established, well-known partners can provide objective assurances that a vendor is performing as promised.
Even if you never use them, it’s smart to include audit rights in a third-party vendor agreement. While you should be able to trust the vendor to provide truthful reports, preserve the right to audit the vendor, whether through a third party or your employees.
Audit rights don’t give your institution carte blanche. The vendor is likely to require you to pay for the audit, including use of its employees, provide reasonable notice and limit your access to relevant records and facilities.
Accessing Vendor Monitoring Tools
Monitoring tools like vendor reports, third-party reports and audit rights aren’t automatically available as part of a vendor contract. They must be negotiated into the third-party vendor contract so that you or the third-party conducting your due diligence can access them on a regular basis.
Consider insurance. Most contracts require vendors to carry insurance. The contract also needs to include tools to ensure ongoing insurance coverage. For example, a contract could require a vendor to provide an updated certificate annually or upon reasonable request. It could require immediate or prompt (make sure this term is defined) notice if insurance coverage lapses or falls below a certain threshold. The agreement could be written so that the insurance company would provide notice directly. This ensures there is a monitoring mechanism.
Don’t rely on the word of your salesperson. If it’s not in writing, it’s not enforceable. Use the bargaining power you have before signing a contract to ensure you have all the monitoring tools you need.
Monitoring tools aren’t effective if the service-level agreement isn’t clear about what the vendor needs to provide from a performance perspective or if it doesn’t contain remedies to address failures.
Contracts need to define:
Expectations. Define the service levels third-party vendors are expected to meet. These should be specific and measurable goals. For example, your contract may guarantee uptime, or the period of time services are available, is at least 99 percent, or the vendor may agree to carry a specific type of insurance in a minimum amount.
Make sure the provisions are detailed. Define terms like uptime and downtime and address exceptions, such as scheduled maintenance.
Monitoring. Add provisions ensuring the vendor will provide you with information to gauge their performance. This includes internal reports and audits, SSAE 18s, financials, insurance certificates, test results, notices from suppliers, and other documents. If you don’t specifically secure access to these documents in the contract, the vendor is not obligated to provide them.
Remedy. In the event the vendor breaches expectations, you want a way to remedy the situation. Remedies should exist for the most important elements of the contractual relationship, ones that have a significant impact on the institution.
In the most extreme cases, you want the ability to terminate without liability due to a material breach. But most failures don’t warrant switching vendors, which can be a huge headache. Instead it should provide a remedy that creates an incentive for the vendor to perform.
For example, a vendor might promise an uptime of 99 percent. If uptime is only 98 percent, your institution might be owed a credit. Or, it might give the vendor a bit of wiggle room and say that if it misses the uptime goal two months in a six-month period, your institution receives a discount. The remedy should be reasonable and fair to both parties.
Use this knowledge to negotiate a contract that gives you the tools you need to properly manage vendor performance. It’s the only way to know if your vendor is doing everything it claims.