Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions
Vendor offboarding is the practice of removing a vendor's access to systems, data and corporate infrastructure – and ensuring that other final actions are executed as stipulated in the contract. The goals of vendor offboarding are to ensure a smooth and secure transition, minimize risk and disruption to business operations, and protect sensitive information.
Many organizations overlook the importance of a secure and programmatic offboarding process, exposing them to future risks. In this article, we'll cover:
Be sure to also download the complete Vendor Offboarding Checklist for additional information on this topic, including a 40-step checklist template that you can use to improve your offboarding process starting today.
Proper vendor offboarding is critical to managing risk, particularly since security, procurement and vendor management teams discontinue vendor oversight when the relationship ends. An incomplete or hastily conducted offboarding process can result in financial losses, regulatory penalties, and reputational damage.
A breach of data retained by a vendor after termination can lead to reputational problems, legal fees and regulatory findings. There are several examples of how incomplete third-party vendor or supplier offboarding processes have damaged organizations.
The end of a vendor relationship can trigger additional costs. For instance, the vendor may have negotiated an early-termination fee. Furthermore, your organization may incur costs to identify, select and onboard a replacement vendor, such as ramp-up and training fees. Without a smooth transition process, there can be delays in receiving parts, products and services from new vendors – which, in turn, can disrupt your organization’s ability to deliver to its customers.
Disputes over intellectual property (IP) ownership or termination parameters can arise if your legal department does not thoroughly review the contract during negotiation and with each development throughout the course of the relationship. Legal fees can be substantial if there is a dispute about an organization’s right to terminate an agreement.
Maintaining good relationships with vendors is important, even when terminating business agreements. Other vendors may interpret poor communications or contract fulfillment with a vendor as evidence that your company is difficult to work with. This can also negatively impact your relationships with other existing vendors or potential business partners.
These examples demonstrate that organizations must assess a wide range of business risks when offboarding vendors.
Minimize Risk After the Contract Ends
Download the Vendor Offboarding Checklist to gauge your program against 40+ recommended offboarding tasks.
Procurement, vendor management, and security teams often view third-party risk management (TPRM) as an exercise to be conducted prior to onboarding a new vendor. So, it’s no wonder that vendor offboarding is an afterthought at many organizations. The 2022 Third-Party Risk Management Study showed that only 43% of companies are tracking risks at the offboarding stage of their vendor relationship. While due diligence in vendor sourcing and selection is an important activity, measuring and managing risk extends throughout the relationship with a vendor. This includes managing the end of a relationship with thorough vendor offboarding.
As with vendor onboarding, knowledge silos can make it difficult to identify all the required tasks to offboard vendors. Procurement may notify a vendor that a contract will not be renewed, but legal must review contract terms and provide details on what steps are required for a clean termination. In some cases, engineering may need to identify intellectual property shared with the vendor. Manufacturing and operations must confirm what steps are required to avoid production stoppages. Finance must identify outstanding invoices or credits owed by the vendor. IT security must ensure that data is destroyed and system access is revoked. Without coordination between these teams, offboarding is a complicated task.
It is easier to focus on activities with new vendors than on those being offboarded. To mitigate the risks referenced above, it is critical to be thorough when offboarding a vendor. This requires all team members that interact with the vendor to identify potential risks, agree to mitigation requirements, and meticulously track progress. Manual methods for performing due diligence will inevitably lead to missed tasks and unresolved risks.
Tracking tasks in spreadsheets or shared documents can make the offboarding process inconsistent and prone to errors. The completeness and accuracy of a task list is subject to the expertise of everyone involved in the offboarding process. For example, a less-experienced employee may overlook critical tasks or incorrectly mark an item complete without full documentation from a vendor. Spreadsheets that can be accessed by multiple employees also lack auditing controls.
A centralized process can help teams automate vendor offboarding, ensure its completeness, and effectively mitigate risk. Here are seven best practices to follow during offboarding:
Teams can mitigate risk by keeping the lines of communication open with the vendor throughout the offboarding process. This includes informing vendors of the offboarding timeline, answering any questions, and providing clear instructions regarding what is expected during the process. A solution that centralizes interactions with vendors, maintains tasks and timelines, and requires approval workflows will greatly reduce the manual work required to address these issues.
Review the contract’s termination provisions to ensure you have the right to terminate the relationship, and if so, the proper timelines for doing so. If you are terminating due to a breach of contract terms, be sure notices have been issued and the vendor’s rights to remedy shortcomings have been honored. Teams may have changed contract terms over time. A final review with legal and procurement can identify scope creep and ensure that the vendor provided all the contractually obligated goods and services.
Finally, review KPIs, pending deliverables, and payments. If the vendor is supplying parts, make sure warranty and support agreements that survive termination are clear.
After thoroughly reviewing the contract terms and identifying remaining obligations for both parties, ensure that you receive final deliverables and schedule final payments. Be sure to include any credits or returns when calculating payments, as these may be difficult to recover after you terminate the relationship.
Partners and vendors may require access to your systems, such as those used for purchasing, engineering, marketing, and financial data. When offboarding a vendor, it is critical to terminate their access to your intellectual property and other sensitive data. This includes:
Some vendor employees may have required physical access to your offices or server rooms. Deactivate any keycards and badges and ensure that the vendor returns all physical keys. In some cases, it may be necessary to change entry codes to server rooms. Work with your physical security teams to ensure that there is a clear process in place for managing physical vendor access.
Vendors often have access to sensitive data that may be subject to regulatory requirements such as CCPA, GDPR, PCI DSS, and others. During offboarding, ensure that you align your vendor termination procedures with your legal obligations. Third-party risk management platforms will have built-in reporting that aligns to these regulatory obligations, simplifying the compliance process.
If the vendor has copies of your sensitive data, it could be exposed in a later breach. Morgan Stanley failed to properly oversee decommissioning of servers by a third party. A subsequent breach of the third party exposed personal information and resulted in a $60 million fine from the Office of the Comptroller of the Currency (OCC). Ensure that all intellectual property and sensitive data is returned. Also, require an affidavit from the vendor that electronic copies on the vendor’s infrastructure – including on employee devices – are securely deleted. Additionally, review with the vendor remaining obligations such as confidentiality, nondisclosure and non-compete agreements.
Not all terminations are permanent. You will want a clear record of the vendor’s history with your organization, including the vendor’s key performance indicators (KPIs). To reduce legal risk, clearly document the reasons for terminating the relationship and maintain a complete accounting of the termination procedures. Make sure you have records of all communications, contracts and other documentation between your organization and the vendor so you can quickly resolve any questions or issues moving forward.
Even though the contract has been terminated and all tasks have been successfully completed, risks to your systems and data, as well as compliance or reputational risks, can still emerge long after the relationship ends. Continuously monitoring multiple risk vectors will ensure that your team has extended visibility into potential future risks.
Manually managing vendor offboarding across a large organization can drain even well-staffed risk management teams. While taking steps such as centralizing vendor data, and ensuring uniform offboarding processes across the organization can help, most large organizations benefit enormously from utilizing a dedicated third-party risk management platform.
A dedicated TPRM platform can:
Interested in how Prevalent can help reduce risk during offboarding as part of your broader third-party management lifecycle? Request a demo today.
Here are 7 ways to leverage machine learning analytics and reporting in your third-party risk management program.
Consider these best practices to limit your risk exposure when offboarding vendors and suppliers.
Software supply chain attacks are driving new efforts to standardize software bills of materials. Here are...