Vendor risk management is a process of ensuring your providers do not create the potential to negatively impact your business performance. Industries like financial services and healthcare are especially prone to regulatory healthcare compliance risk, due to the growing number and complexity of federal and state regulations. 

What is the Significance of Vendor Risk Management? 

In today’s regulatory environment, developing a risk management strategy is essential to protecting the overall health of your organization. 

In healthcare, not only are organizations liable for the inherent risk associated with its own employees and services, they are also responsible for monitoring their third-party vendors who supply everything from medical equipment to cleaning supplies, to ensure none are excluded from federal or state healthcare programs. Healthcare is not alone in this, as similar legislation puts a tremendous risk burden on financial services companies and other industries that buy goods or services from third-party vendors.

What if I don’t Monitor My Vendors?

Failure to accurately monitor vendors against the hundreds of state and federal OIG exclusion list databases could mean thousands of dollars in fines for a single instance of purchasing goods or services from an excluded vendor.

For example, starting in 2014 the Patient Protection and Affordable Care Act, or ‘Obamacare’ as it is commonly called, laid out new rules. Not only do you have to monitor the entity, but starting in 2014 you will also have to monitor any owner of a vendor entity with more than 5% ownership stake in a company.

Let’s say your company purchases 10 boxes of scalpels for $20/box from your scalpel supplier, and it is found out that the company appears on the OIG exclusion list. Your fine could look something like this:

$10,000 per item X 10 = $100,000
$200 (total purchase price) X 3 = $600

Grand Total = $100,600

A $200 purchase has now cost your organization $100,600 for one simple reason. Your purchasing department bought them from a vendor on the OIG exclusion list

Given the seriousness and complexity of the risk associated with purchasing from third-party vendors, it is essential that any organization engage in effective vendor risk management. Doing so could save your organization from potentially crippling fines.

Where do I Start Monitoring?

Managing vendor risk is no easy task, so it is important that ample time and resources are dedicated to fully evaluating potential risk, developing and executing risk management strategy, and periodically auditing its effectiveness.

Many organizations are good at managing regulatory risk with its own employees and services, but managing vendor regulatory risk is seen as something that most organizations could stand to improve.

So where to start?

McKinsey & Company, a management consulting firm, has some suggestions. While they are speaking primarily to vendor associated risk in the financial sector, the same principal applies to healthcare.

Most healthcare organizations, especially networks whose growth strategy focuses on purchasing facilities, (most of which have different accounting and procurement systems) struggle with aggregating vendor data into a centralized system. Without such a system, it’s mind-boggling to think about how to establish a risk management strategy for vendors.

McKinsey suggests performing an organization-wide survey. What would that look like? It could be a simple form that captures the vitals of each vendor from each facility or unit. Or it could be an internal audit in which a project manager circulates around each facility to collect the data needed – business name & address, tax ID, spend category, annual spend, ownership information.

Only once the data is collected and aggregated into a central database can you begin to wrap your mind around an overall risk assessment. Your risk assessment should identify the external (regulatory) and internal (policy) healthcare compliance issues, as well as bench-marking how each vendor you buy from performs on each vendor compliance issue. Once you have a handle on this, you can begin to understand where to focus your efforts on mitigating risk.


Managing risk is no easy task, but a successful vendor risk management strategy is an important step to take to ensure the overall compliance of your organization. Doing so will ensure that the mistakes your vendors make do not become your own problem.

What’s your vendor risk management strategy? Comment below to start the conversation.

Written by: Russ Cornwall, ProviderTrust Product and Client Support for VendorProof.

This post was originally published December 10, 2013 and has been completely revamped and updated for accuracy and comprehensiveness.

You might also enjoy:
5 Steps to Ensure Vendor Compliance
Vendor Credentialing Service: are you doing enough?
Hospital Vendor Credentialing – What Is It?
5 not-so-obvious things you should know about OIG exclusions