When a vendor contract terminates, one of the most important requirements for managing risk is to ensure that the vendor securely destroys or returns any data or assets that belong to the organization or its customers. This is to prevent any unauthorized access, use, disclosure, or loss of sensitive information or resources that could result in legal, regulatory, reputational, or financial consequences. The organization should also verify that the vendor complies with this requirement by requesting evidence or conducting audits.
The other options are also important, but not as critical as ensuring data and asset security. Performing a financial review of outstanding invoices is necessary to avoid overpaying or underpaying the vendor, and to resolve any disputes or claims. Performing a final assessment based on due diligence standards is useful to evaluate the vendor’s performance, identify any issues or gaps, and document any lessons learned or best practices. Defining contract terms for transition services is helpful to facilitate a smooth and orderly handover of responsibilities, deliverables, or processes to another vendor or internal team.
References:
1: Shared Assessments, a leading provider of third party risk management solutions, offers a comprehensive guide for Certified Third Party Risk Professional (CTPRP) candidates, which covers the core concepts and best practices of third party risk management, including vendor offboarding and termination.
2: Prevalent, a platform for third party risk management, provides a blog post on vendor offboarding and termination risk management, which includes a checklist and a template for secure data and asset destruction or return.
3: Spendflo, a platform for vendor risk management, provides a guide on vendor risk management, which includes the importance of data and asset security when terminating vendor contracts.
