COMPLIANCE HOT TOPIC Vetting Low Risk Vendors QUESTION: My company vets its vendors that provide services relative to our core business but do we need to also perform vendor management on such non-business related service providers such as janitorial services? ANSWER: Simply, yes. Any activity outsourced to a vendor or service provider can possibly introduce risk, even though it may not seem apparent. Vendor management is about identifying, measuring, monitoring and controlling risks associated with outsourcing services. Companies should risk rate vendors to help determine the level of due diligence and oversight needed. In the case of a janitorial service, it may be determined that the risk is low as the third-party provider may not be exposed to any confidential or proprietary information and may, therefore, not present data security or compliance risk to the company. However, for other companies that do not adhere to clean desk policies and procedures, a third-party janitorial crew may present a higher risk as the janitorial staff may have access to confidential or proprietary information. |