Vendor Risk Management: Overcoming Internal Roadblocks and Building a Leading Program

Lee Garbowitz | June 19, 2019

HBR and GLG Law (Gerson Lehrman Group, Inc.) recently co-hosted their first education session on Vendor Risk Management in New York City. This session was part of a quarterly series to provide expert insights into topics that are front-of-mind among legal procurement leaders. HBR’s partnership with GLG, a platform connecting professionals to expert insights, ensures the sessions deliver information from industry-leading sources.

I was privileged to facilitate a panel in which Greg Schlegel, founder of the Supply Chain Risk Management Consortium and co-author of “Supply Chain Risk Management: An Emerging Discipline,” and Joe Thompson, former Chief Procurement Officer at Avon, provided expert insights.

Vendor risk management is or should be a critical concern for law firms, due to the changing regulatory environment, client expectations and increasing exposure to potential risks facing law firms. Procurement leaders recognize this (participants in HBR’s 2018 Procurement Roundtable identified it as a top priority for 2019) but it can sometimes be difficult to get buy-in from the executive team. Following are the key themes discussed in this first education session, including some of the foundational tools and trends firms can leverage to manage vendor risk.


Impact of Risk Events on Law Firms

Do you know who has access to your framework and data? Can you confidently tell clients that their information is safe? Are you prepared for a risk event in order to prevent potential catastrophe?

Vendors present opportunities for efficiencies, mutually beneficial partnerships, and tools and technology to improve operations or service delivery. Unfortunately, vendors can also expose firms to increased vulnerability when firms outsource operations, share information or provide access to internal frameworks. Ignoring the risk exposure from a firm’s vendor base creates potential long-term problems and can magnify the effects of a risk event, heightening panic and confusion when there is no plan in place.

Firms are regularly targeted by hackers looking to withhold files for ransom, erase files or steal information for corporate espionage and insider trading. When disaster strikes, having an action plan in place can right the ship quickly and efficiently, minimizing the reputational and financial impact of the event. Speed in risk management is critical – being able to prevent, identify or solve a problem quickly can mean the difference between a cost of a few thousand dollars and several million. A firm’s reputation takes years and potentially millions of dollars to build but can be destroyed in an instant when a firm falters publicly during a risk event. Losing the trust of clients and employees imposes a heavy cost on a firm for years to come.


Gaining Buy-In from Firm Leadership

Despite all this, only 53 percent of respondents to HBR’s 2018 Procurement Leader Survey had a formal vendor risk management policy in place. It can be difficult to convince firm leaders to invest in a problem that the firm is not immediately facing when there may be seemingly more pressing issues to solve or investments that may drive savings or business development. As one of the panelists observed, “no one gets promoted for good cost avoidance.”

One approach to gaining buy-in is to quantify the return on investment for a vendor risk management program. While unconventional, program advocates can balance the program investment cost against the potential risk cost: the dollar value assigned to the impact of a risk event and the probability of the risk event happening. Quantitative evidence can help leadership better understand an intangible problem and provide a basis for very real imminent costs for risk exposure.


Leveraging the Procurement Function for Vendor Risk Management

One of the most common mistakes made when implementing a vendor risk management program is underestimating the skills and resources needed to integrate an impactful, effective risk program into a firm’s strategy. Law firms’ risks differ from those of many other organizations or professional services firms. The decentralized nature of law firms allows partners to exercise great freedom in engaging vendors. In order to mitigate firm risk, internal teams need to understand the holistic vendor base and design processes that support partner needs while decreasing risk exposure.

Despite many law firms’ somewhat decentralized operations, our panel of experts agree that the vendor risk management process and policy should sit within a firm’s procurement function, with oversight from the CPO and/or CFO. Procurement already houses the majority of policies and procedures related to managing a complex vendor base. Firm leaders should look to leverage the capabilities of the procurement team, supplemented with additional training specific to vendor risk management. The skills required for risk management diverge from the foundational proficiencies in procurement and it is important to develop those mature internal capabilities.

Building a program takes time and expertise, so firms should approach building a holistic risk management program in stages. Following are the major steps for developing a program that aligns with industry best practices:

  1. Understand the current environment. The first step should be to identify and quantify all active firm vendors across all departments and categories. Take an inventory of the information shared with and the access granted to each active vendor. Define the risks of interacting with each and assign the cost of a potential risk impact if a vendor lost all the information shared, if a physical location was destroyed by a significant weather event or if a vendor became insolvent and could no longer provide services. Firms should be able to categorize which relationships are most valuable to the firm, where there is the biggest threat to information loss and if there are any “weak links” in the vendor base.

  2. Build a program with policies and procedures that can accurately address the current environment and potential risks. It’s important to involve a broad array of perspectives in the vendor risk management program design process in order to prevent blind spots – early stage planning meetings should have representation from many different departments and offices. Once there is a comprehensive list of potential risks and an established outline of needs firm-wide, the vendor risk management team can design a program that fits the unique needs of the firm stakeholders. An ideal program runs throughout the entire lifecycle of vendor interaction – pre-onboarding questionnaires to assign risk ratings and raise flags when necessary, validation of vendor compliance to firm guidelines, information on data sharing / level of access and more. 

  3. Continue to monitor the environment and measure program activity. Now, with a program in place there needs to be active scrutinization of the state of risk exposure for the firm. Stakeholders involved should monitor metrics to evaluate the program and activity. Key metrics can include: number of vendors onboarded, number of vendors identified as critical / high risk, number of vendors flagged for additional review, and number of vendors that failed from being onboarded. Dashboards that automatically update can remove some of the manual efforts involved in administering a 3PRM program and ensure the firm’s vendor base is aligned with the firm’s risk appetite in real time. The program should be built to be flexible in order to strive for continuous improvement by adjusting the program as needed based on changing firm needs and regulatory environment. 



To be successful, a firm needs to take a proactive approach to vendor risk management as opposed to the historical reactive approach that has led firms to be blindsided by catastrophe. Lack of preparation easily translates to millions of dollars in lost brand value, clients and employee information – a cost that could be detrimental to a firm’s reputational and financial health in the market.

For more information on building a vendor risk management program that aligns to your firm’s risk environment, please read our white paper “A Guide to Developing a Holistic Third-Party Procurement Risk Management Strategy” or contact me.