+32468072112
info@nexly.eu
0
0
0
Login Register
Categories
Courses Instructors Store Forums Events
Start Learning
Page cover
Nexly Third-Party Vendor Risk Policy

Third-Party Vendor Risk Policy

Assessing and managing supplier and vendor risks

Nexly Corporation - Third-Party Vendor Risk Management Policy

1. Introduction & Purpose

This Third-Party Vendor Risk Management Policy (the "Policy") establishes the framework for Nexly Corporation ("Nexly" or the "Company") to identify, assess, mitigate, and monitor risks associated with third-party vendors, service providers, and other external entities (collectively, "Vendors") that provide goods, services, or access to Company systems, data, or facilities. Located at 701 South Street Suite 100, Mountain Home, AR 72653, Nexly recognizes that third-party relationships can create significant risks, including, but not limited to, data breaches, financial loss, regulatory non-compliance, reputational damage, and operational disruptions. This Policy is designed to:

  • Protect Nexly's Assets: Safeguard Nexly's assets, including its data, intellectual property, financial resources, and reputation.
  • Ensure Compliance: Ensure that Vendors comply with all applicable laws, regulations, industry standards, and contractual obligations.
  • Mitigate Risk: Identify, assess, and mitigate risks associated with Vendor relationships.
  • Maintain Business Continuity: Ensure the continuity of business operations by mitigating the risks posed by Vendor disruptions.
  • Promote Ethical Conduct: Ensure Vendors operate ethically and in accordance with Nexly's values and standards.
  • Support Data Privacy and Security: Ensure that Vendors adequately protect the privacy and security of data.
  • Establish Clear Responsibilities: Define the roles and responsibilities of Nexly employees involved in Vendor relationships.
  • Provide a Consistent and Standardized Approach: Provide a consistent and standardized approach to Vendor risk management across the organization.

This Policy applies to all Vendors that provide goods, services, or access to Company systems, data, or facilities, regardless of the nature of the goods or services provided, the level of risk involved, or the size of the Vendor. This Policy is to be read in conjunction with other Company policies, including, but not limited to, the Information Security Policy, the Data Privacy Policy, the Confidentiality and Non-Disclosure Policy, the Ethical Sourcing Policy, and the Code of Conduct.

2. Definitions

For the purposes of this Policy, the following definitions apply:

  • Vendor: Any third-party entity (e.g., company, organization, individual) that provides goods, services, or access to Nexly Corporation's systems, data, or facilities. This includes, but is not limited to, suppliers, contractors, consultants, cloud service providers, and other service providers.
  • Third-Party Risk: The potential for loss, damage, or disruption to Nexly resulting from the actions or inactions of a Vendor.
  • Vendor Risk Assessment: The process of identifying, analyzing, and evaluating the risks associated with a Vendor relationship.
  • Risk Tiering: The process of categorizing Vendors based on the level of risk they pose to the Company. Risk tiering determines the level of due diligence required.
  • Due Diligence: The process of investigating and evaluating a Vendor's capabilities, financial stability, security practices, and compliance with applicable laws and regulations.
  • Contract: A legally binding agreement between Nexly and a Vendor that outlines the terms and conditions of the relationship, including scope of services, service level agreements, data protection requirements, and security obligations.
  • Service Level Agreement (SLA): A contract or part of a contract that defines the level of service to be expected from the Vendor.
  • Key Performance Indicator (KPI): A quantifiable measure used to evaluate the success of a Vendor relationship.
  • Business Continuity Plan (BCP): A plan that outlines the procedures and actions that Nexly will take to maintain business operations in the event of a disruption.
  • Critical Vendors: Vendors whose services are essential to Nexly's core business operations, or whose failure would result in significant financial, operational, or reputational damage.

3. Roles & Responsibilities

Effective Vendor risk management requires clearly defined roles and responsibilities across the organization:

  • 3.1. Board of Directors:
    • Provides oversight of the Company's Vendor risk management program.
    • Approves the Third-Party Vendor Risk Management Policy and reviews its effectiveness.
    • Monitors the Company's significant Vendor risks and the effectiveness of risk mitigation activities.
  • 3.2. Vendor Risk Management Committee (VRMC) (or equivalent): (If applicable, or alternatively, a designated senior management group).
    • Develops, implements, and maintains the Company's Vendor risk management framework, including policies, procedures, and tools.
    • Establishes and maintains the Vendor risk assessment and tiering methodology.
    • Oversees the due diligence process for Vendors.
    • Monitors and reports on the Company's Vendor risk profile and the effectiveness of risk mitigation activities.
    • Reviews and approves Vendor contracts.
    • Coordinates with various departments to ensure that Vendor risk management is integrated into all aspects of the business.
    • The VRMC will be comprised of [Specify Members and their Titles, e.g., the Chief Information Officer (CIO), Chief Financial Officer (CFO), Head of Procurement, Legal Counsel, Head of Information Security, Data Privacy Officer (DPO), and a representative from a relevant business unit]. The Chair of the VRMC will be [Specify Title, e.g., the CIO].
  • 3.3. Chief Executive Officer (CEO):
    • Provides overall leadership and direction for the Company's Vendor risk management program.
    • Ensures that the Company's Vendor Risk Management Policy is integrated into all business activities.
    • Supports the Vendor Risk Management Committee (or equivalent) in its efforts.
    • Communicates the importance of Vendor risk management throughout the organization.
  • 3.4. Chief Information Officer (CIO):
    • Oversees the IT and Security aspects of the Vendor risk management program, including assessing Vendor security practices and ensuring appropriate security controls are in place.
    • Leads the Vendor risk assessment process.
    • Works with the Vendor Risk Management Committee to develop and maintain the Vendor risk assessment methodology and tiering system.
  • 3.5. Chief Financial Officer (CFO):
    • Oversees the financial aspects of the Vendor risk management program.
    • Reviews Vendor financial stability and performance.
    • Works with the Vendor Risk Management Committee to address financial risk.
  • 3.6. Head of Procurement:
    • Leads the Vendor selection and onboarding process.
    • Ensures that all new Vendors are assessed and approved in accordance with this Policy.
    • Negotiates Vendor contracts, including the incorporation of appropriate risk mitigation terms and conditions.
    • Manages Vendor relationships.
  • 3.7. Legal Counsel (Internal or External):
    • Provides legal advice and guidance on Vendor risk management matters.
    • Reviews Vendor contracts to ensure compliance with this Policy and all applicable laws and regulations.
    • Assists in addressing any legal issues that arise with Vendors.
  • 3.8. Data Privacy Officer (DPO) (or equivalent):
    • Ensures that Vendor relationships comply with all applicable data privacy laws and regulations.
    • Reviews Vendor data privacy practices and agreements.
    • Oversees data privacy impact assessments related to Vendor relationships.
  • 3.9. Information Security Department:
    • Assesses and monitors the security practices of Vendors.
    • Works with the CIO and Head of Procurement to ensure that appropriate security controls are in place.
    • Conducts security audits and assessments of Vendors, as required.
    • Responsible for the security aspects of the third-party risk management process.
  • 3.10. Business Unit Owners & Project Managers:
    • Identify business requirements for Vendor services.
    • Work with the Head of Procurement to identify and evaluate potential Vendors.
    • Provide input into the Vendor risk assessment process.
    • Manage the Vendor's performance and ensure that services are delivered in accordance with the contract and service level agreements (SLAs).
  • 3.11. All Employees:
    • Are responsible for complying with this Policy and for reporting any concerns about a Vendor's performance or conduct to their manager or the Head of Procurement.
    • Follow internal policies and procedures for engaging with Vendors.

4. Vendor Risk Management Process

Nexly Corporation will follow a structured process for managing Vendor risk throughout the Vendor lifecycle:

  • 4.1. Vendor Identification and Categorization:
    • Identifying Vendors: Identify all potential Vendors that provide goods or services to Nexly.
    • Centralized Vendor List: Maintain a centralized Vendor list that includes all approved Vendors. This list should be managed by the Procurement Department.
    • Categorization: Categorize each Vendor based on the type of goods or services provided and the potential level of risk they pose to Nexly. This categorization will be used to determine the appropriate level of due diligence and monitoring. This category will be determined by the VRMC.
  • 4.2. Risk Assessment & Tiering:
    • Risk Assessment Methodology: Use a defined risk assessment methodology to evaluate the risks associated with each Vendor relationship. The assessment will consider factors such as:
      • Data Access: The type and sensitivity of data that the Vendor will access.
      • Criticality of Services: The importance of the services provided by the Vendor to Nexly's business operations.
      • Financial Stability: The Vendor's financial stability.
      • Security Practices: The Vendor's security controls and practices.
      • Compliance History: The Vendor's compliance with applicable laws and regulations.
      • Geographic Location: The geographic location of the Vendor's operations.
      • Sub-contractor Use: The Vendor's use of any sub-contractors.
    • Risk Tiering: Assign Vendors to risk tiers based on the results of the risk assessment. Common risk tiers might include:
      • Tier 1 (Low Risk): Vendors that pose a low risk to Nexly.
      • Tier 2 (Medium Risk): Vendors that pose a moderate risk to Nexly.
      • Tier 3 (High Risk): Vendors that pose a high risk to Nexly.
    • Documentation: Document the Vendor risk assessment process and the rationale for the risk tier assigned to each Vendor.
  • 4.3. Due Diligence:
    • Level of Due Diligence: The level of due diligence will be based on the Vendor's risk tier. Higher-risk Vendors will require more thorough due diligence.
    • Due Diligence Activities: Due diligence activities may include:
      • Vendor Questionnaires: Requiring Vendors to complete detailed questionnaires.
      • Financial Reviews: Reviewing the Vendor's financial statements.
      • Background Checks: Conducting background checks on the Vendor and its key personnel.
      • Security Assessments: Reviewing the Vendor's security practices and conducting security audits, as necessary.
      • Compliance Verification: Verifying the Vendor's compliance with all applicable laws and regulations.
      • References: Contacting the Vendor's other clients for references.
    • Documentation: Document all due diligence activities and their results.
  • 4.4. Contract Negotiation & Review:
    • Contract Requirements: Vendor contracts must include provisions that address the identified risks and provide for appropriate risk mitigation. These provisions will be dependent on the risk tier of the vendor.
    • Key Contractual Terms: Contracts must include, but are not limited to, the following key contractual terms:
      • Scope of Services: A clear description of the goods or services to be provided.
      • Service Level Agreements (SLAs): Defined service levels and performance metrics.
      • Data Security Requirements: Data security and privacy requirements, including requirements for data encryption, access controls, and data breach notification.
      • Compliance Requirements: Requirements for compliance with applicable laws and regulations.
      • Audit Rights: Nexly's right to audit the Vendor's operations.
      • Intellectual Property Rights: Protection of Nexly's intellectual property.
      • Insurance Requirements: Requirements for the Vendor to maintain adequate insurance coverage.
      • Indemnification: Protection against financial losses, as well as a plan to ensure Nexly’s liability is covered.
      • Termination Rights: Nexly’s right to terminate the contract if the Vendor fails to meet performance standards, violates this Policy, or violates legal requirements.
    • Legal Review: All Vendor contracts must be reviewed and approved by Legal Counsel before they are executed.
    • Risk Mitigation Implementation: The contract should outline the responsibilities of both parties to mitigate identified risks.
  • 4.5. Ongoing Monitoring and Review:
    • Vendor Performance Monitoring: Monitor Vendor performance against SLAs and KPIs. This may include regular performance reviews, site visits, and regular reporting.
    • Risk Reassessment: Reassess Vendor risks on a regular basis, based on the Vendor's performance, any changes in the Vendor's operations, and any changes in the business environment. The frequency of reassessment will be determined by the Vendor's risk tier. [Example: High-risk vendors will be re-assessed at least annually].
    • Continuous Monitoring: Monitor Vendor performance against agreed metrics, assess Vendor risks, and take corrective action when needed.
    • Audit Rights Exercise: As per the contract, exercise the right to audit the Vendor's operations to verify compliance with the contract and this Policy.
    • Change Management: Establish a process for managing changes to Vendor relationships, including changes to the scope of services, the Vendor's operations, or the risk profile. This would require a re-assessment of the Vendor.
  • 4.6. Termination & Exit Strategy:
    • Termination Clause: Contracts must clearly define the conditions under which the relationship can be terminated.
    • Data and Asset Return: Ensure the secure return of all Company data and assets.
    • Post-Termination Audit: A final audit may be conducted to confirm all requirements have been fulfilled.
    • Transition Planning: Plan for a smooth transition of services and data.

5. Risk Assessment & Tiering Methodology

The following provides the detailed methodology for assessing and tiering Vendor risk:

  • 5.1. Risk Factors: The following risk factors will be used to assess the risk associated with each Vendor:
    • Data Access: The type and sensitivity of data that the Vendor will access. Data classifications from the Data Retention Policy are used.
    • Criticality of Services: The impact on Nexly if the Vendor's services are disrupted or if the Vendor fails.
    • Financial Stability: The Vendor's financial stability and ability to meet its obligations.
    • Security Posture: The Vendor's security controls and practices, including its data security policies and procedures.
    • Compliance History: The Vendor's history of compliance with laws and regulations and contractual obligations.
    • Geographic Location: The geographic location of the Vendor's operations, including any locations in high-risk countries.
    • Subcontractor Use: The Vendor's use of any subcontractors and the associated risks.
    • Business Continuity: The Vendor's business continuity plan and disaster recovery plan.
    • Legal and Regulatory Risk: Legal and regulatory risks associated with the Vendor's services.
    • Reputational Risk: Risks that the Vendor's actions or inactions could harm Nexly's reputation.
  • 5.2. Assessment Process: The risk assessment process will include the following steps:
    • Initial Screening: Reviewing publicly available information about the Vendor, such as its website, financial statements, and media coverage.
    • Questionnaire: Requiring the Vendor to complete a detailed questionnaire that addresses the risk factors.
    • Third-Party Information: Using third-party information, such as credit reports and security ratings, to supplement the information provided by the Vendor.
    • Scoring: Assigning a numerical score to each risk factor, based on the level of risk identified.
    • Overall Risk Score: Calculating an overall risk score for the Vendor.
  • 5.3. Risk Tiering: The risk tiering methodology will be based on the overall risk score:
    • Tier 1 (Low Risk): Vendors with a low overall risk score. These Vendors generally provide non-critical services and have limited access to Company data. [Specify scoring range, e.g., 1-10]
    • Tier 2 (Medium Risk): Vendors with a moderate overall risk score. These Vendors may provide critical services or have access to some Company data. [Specify scoring range, e.g., 11-20]
    • Tier 3 (High Risk): Vendors with a high overall risk score. These Vendors typically provide critical services and/or have access to sensitive Company data. [Specify scoring range, e.g., 21-30]
  • 5.4. Ongoing Review: The Vendor's risk tier will be reviewed at least [Specify Frequency, e.g., annually] or more frequently if there are any significant changes in the Vendor's operations, services, or risk profile.

6. Policy Compliance and Enforcement

Compliance with this Third-Party Vendor Risk Management Policy is mandatory for all Nexly employees and Vendors.

  • 6.1. Employee Responsibilities: All employees who manage Vendor relationships or are involved in Vendor activities must:
    • Comply with the requirements of this Policy.
    • Cooperate with the Head of Procurement and the Information Security Department in the Vendor risk management process.
    • Report any concerns about a Vendor's performance or conduct to their manager, the Head of Procurement, or the Information Security Department.
  • 6.2. Vendor Obligations: All Vendors are required to:
    • Comply with the requirements of this Policy and all applicable contractual obligations.
    • Provide Nexly with accurate and complete information during the risk assessment and due diligence process.
    • Cooperate with Nexly's audits and assessments.
    • Implement corrective actions to address any identified deficiencies or violations.
  • 6.3. Consequences of Non-Compliance: Failure to comply with this Policy may result in:
    • For Employees: Disciplinary action, up to and including termination of employment.
    • For Vendors:
      • Withholding of payments.
      • Suspension of the Vendor relationship.
      • Termination of the Vendor relationship.
      • Legal action (if warranted).
  • 6.4. Legal Action: Nexly Corporation reserves the right to pursue all available legal remedies against any Vendor or employee who violates this Policy.

7. Policy Review & Amendments

This Third-Party Vendor Risk Management Policy will be reviewed and updated regularly to ensure its continued effectiveness and compliance with all applicable laws, regulations, and industry best practices.

  • Review Frequency: This Policy will be reviewed at least [Specify Frequency, e.g., annually] or more frequently as needed, such as in response to changes in the Company's business, the regulatory environment, or the risk landscape.
  • Review Process: The review process will involve:
    • Input from Stakeholders: Seeking input from relevant stakeholders, including the Vendor Risk Management Committee (or equivalent), the Head of Procurement, Legal Counsel, the Information Security Department, and key business unit representatives.
    • Benchmarking: Reviewing industry best practices and the Vendor risk management policies of other companies.
    • Legal Compliance: Ensuring that the Policy complies with all applicable laws, regulations, and industry standards.
    • Performance Evaluation: Assessing the effectiveness of the Vendor risk management program, including the identification of any gaps or areas for improvement.
  • Policy Amendments and Communication: Any amendments to this Policy will be approved by [Specify Approving Authority, e.g., the Board of Directors or the Executive Leadership Team] and communicated to all relevant employees and Vendors through [Specify Communication Channels, e.g., company-wide email, intranet posting, supplier portals, training sessions]. All impacted parties will be expected to acknowledge receipt of the changes.
  • Policy Ownership: The Vendor Risk Management Committee (or equivalent), with support from Legal Counsel, the Head of Procurement, and the Information Security Department, is responsible for maintaining and updating this Policy.

8. Policy Accessibility

Nexly Corporation will make this Third-Party Vendor Risk Management Policy readily accessible to all employees and Vendors.

  • Availability: This Policy will be readily accessible to all employees through:
    • The Nexly Corporation Intranet at [Insert Intranet Link].
    • The Company's Employee Handbook.
    • Upon request from the Head of Procurement, Legal Counsel, or the Information Security Department.
  • Distribution: This Policy will be provided to all new employees during their onboarding process.
  • Vendor Access: This Policy, or a summary of the Policy, will be provided to all Vendors.
  • Acknowledgement: Employees and Vendors will be required to acknowledge that they have read, understood, and agree to abide by this Policy.
  • Updates: All updates to this Policy will be communicated to employees and Vendors through the established communication channels (e.g., email, intranet postings, training sessions, and vendor portals).
- Nexly
+32468072112
info@nexly.eu
0
0
0
Login Register
Categories
Courses Instructors Store Forums Events
Start Learning
Cart
Subtotal
View Cart
Cookie Privacy Policies
Our website uses cookies, mainly from 3rd party services. Define your preferences or agree to our use of cookies.
Favorites 0
View Wishlist
Compare 0
Detailed Check