David Medrano, Director of Third Party Risk Management at MorganFranklin Consulting

The importance of leveraging a third-party vendor is a factor that nearly all organizations understand. This could be to limit cost or leverage a solution that cannot be managed inhouse. When an organization relies heavily on a third-party vendor’s solution, a loss of this solution could materially impact the organizations processes or strategic goals. Organizations can mitigate this risk by ensuring the implementation of an exit strategy for their important third-party vendors. 

What is a Third-Party Vendor Exit Strategy? 

A third-party vendor exit strategy is a plan developed by an organization to limit the impact to its processes when those processes are being completed by or supported by a third-party vendor. Exit strategies may not be required for all third-party vendors, so it is important to create a risk-based methodology to identify which third-party vendors should have an exit strategy in place (a gardening company may not need one, but a payroll system may). Although each plan will vary, it is important to ensure certain key factors are considered when creating these plans. Here is a list of a few of these factors: 

1. Communication 

One of the most important factors is a company’s communication plan. Communicating the intent to terminate a relationship with a third-party vendor is critical to assure applicable processes supported by that vendor continue with little to no interruption. This communication will vary based on what the vendor does for the organization, but stakeholders that commonly need to advise include the IT department, legal, Third Party/Vendor Risk Management, Senior Management and Accounts Payable/Finance. Each team should also be consulted when the exit strategy plan is being developed to ensure a smooth transition.   

2. Alternatives 

Many organizations limit the risk of a third-party vendor process/system failure by leveraging alternative third-party vendors. These back-up vendors should be documented in an exit strategy plan so that back-ups can be contacted should the relationship with the primary vendor end, abruptly or otherwise. An alternative vendor may not always be immediately available so it is important for the company to document how it can manage the process internally, as well as how long it will take until another vendor can be identified or completely transitioned to an internal team.

3. Contractual Obligations 

Contracts are one of a company’s best forms of protection. These documents set clear expectations on how the relationship is governed, what is expected and for how long. An exit strategy should include key provisions from your contract with the third-party vendor such as the term of the relationship, termination provision (how many days’ notice needed to provide the vendor when notifying the intent to terminate), ownership and return of data, and notice. Ensuring a company understands what the vendor is contractually obligated to do, when the relationship ends, and the amount of time that vendor is allotted to complete these tasks is important for planning ahead. 

How MorganFranklin Can Help 

MorganFranklin can help your company implement a third-party/vendor risk management program that best fits your needs. With experience from certified third-party risk experts and our flexible delivery models, MorganFranklin can help you implement a mature third-party risk lifecycle, GRC system/tool (automate your program and start a process at the push of a button), as well as supplemental process (e.g., key risk indicators, exit strategy considerations, maturity model analysis). 

Talk to one of our cybersecurity experts