What type of vendor management policy should our law firm be following?
A strong vendor management policy is the foundation for more than your vendor management practice and vendor risk management software. It also provides important security for your client and workplace information and helps your law firm stay in compliance with data security regulations and the need to protect client information.
Law firms vary in their scope and needs, so there is no one-size-fits-all approach. However, once you develop your policy, it should become a procedural document that can be followed in detail as part of vendor on-boarding. All vendor management policies should address the following points.
What goes into your policy in the first place? Determine what questions your specific firm needs to address at the outset and you’ll create a much more streamlined and usable document. (Although, as always, leave room for improvising and adapting.)
- Security – is encryption used, how is information stored, what measures are taken to prevent a data breach
- Physical and environmental – are there redundant backups in multiple locations
- Network and system – what type of system are they using, is it cloud-based
- Data – who controls the data in the event you no longer decide to use the vendor
- Access control – who has access to the data,
- IT acquisition and maintenance – when are updates applied and determined
- Incident management and disaster recovery – what is the vendor’s responsibility to notify you in the event of data breach or data loss, do they have a disaster recovery plan
- Compliance requirements – what is done to protect confidential information, is data stored in compliance with regulations such as GDPR
Risk scoring criteria
Assessing vendor risk is a crucial step in selecting – and then maintaining – third-party vendor relationships. Your scoring should be methodical, carefully defined, and communicated to vendor relationship managers. Each firm should assess vendors according to the criteria that make sense for them, although low, medium, and high risk are easily manageable.
There’s no industry standard for risk levels. Keep the following criteria in mind, though.
- How essential is the vendor in delivering products and services for you?
- How much personally identifiable information will they have access to, both for clients and employees?
- Will they have access to classified and/or non-public information about your firm?
- Personal connections between your firm and vendor that may additional diligence
Risk assessment and management
What risks does your business face? How could you avoid them? (Or barring avoidance, mitigate?) Risk vendor risk management can do a lot of the legwork of evaluating and tracking third-party vendors that help prevent compliance issues.