Vendor management across the risk management and property/casualty insurance sector has evolved into a broad and complex discipline involving myriad stakeholders throughout an ever-growing and increasingly interconnected business landscape.

The discipline, which also goes by third-party risk management and other monikers, is being deployed to mitigate risks associated with contractors, subcontractors and other business partners.

Keeping track of an organization’s counterparties can be a critical part of maintaining uninterrupted business functions and resources, from web hosting services to manufacturing supply chains, experts say.

The challenge begins to take on an almost exponential scale as businesses go beyond their direct contractual, or tier-one, relationships to police second-, third- and fourth-tier vendors and suppliers. Due to the cascading nature of business relationships and an increasingly interconnected world, an organization’s vendors may have their own vendors, which in turn have their own vendors, and so on.

“The risk really transcends into the supply chain in a way that we really hadn’t seen 10 years ago, 20 years ago, and so that creates a challenge for the organization,” said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice. “Getting your arms around the supply chain risk is a really difficult thing to do these days because if an organization way down the supply chain is attacked, the dominoes begin to fall.”

Will Lehman, Bloomington, Indiana-based global director of risk management at Cook Group Inc., a diversified privately held conglomerate, and a Risk & Insurance Management Society Inc. board director, said organizations should focus on what lines of insurance may be impacted, and who are the key stakeholders in the multidisciplinary process.

Virtually all sectors, from manufacturing to health care to construction, are increasingly vulnerable due to their ever-growing reliance on information technology systems and online activity.

Cyber risk related to vendors affects all industries, Mr. Farley said. In the past couple of years, airlines, automotive companies, health care organizations and others have been disrupted, he said.

Integrated businesses

Paul King, Dallas-based senior vice president, executive and professional risk solutions practice, for USI Insurance Services LLC, uses the term “third-party risk management” to describe the process.

“If you’ve got a vendor, you’ve also got that vendor’s subcontractors and their subs, etc. So, really, what you’re talking about is third parties, and what you’re trying to manage here is the risk that they bring,” Mr. King said.

More counterparties means more risk, said Rose Hall, founder and CEO of RH Business Ventures LLC in Irvine, California.

“The more of your work product that you subcontract out, the more risk you’re taking on through those subcontractors,” she said.

The manufacturing sector has become especially integrated, said T.J. Richter, Portland, Oregon-based executive underwriting officer, middle market, for Liberty Mutual Insurance Co., who handles coverage for manufacturing.

Supply chain and vendor relationships are drawing added scrutiny and, in some cases, risk mitigation efforts, he said.

Contract risk management

“We’re finding, as we go through our underwriting files, that things like vendor contracts are not as tight as they should be,” and sometimes the risks should be mitigated and transferred to the supplier, Mr. Richter said.

Contracts are one of the tools in the risk management tool belt, and legal is “one of those core pillars of having a successful vendor risk management program,” Mr. Lehman of Cook said.

Contractual risk transfer is one method to manage vendor risk, Ms. Hall said.

“There are really three ways you can manage that kind of risk. You can insure it, you can contractually transfer it to someone else, or you can keep it and retain it and manage it yourself,” she said. “The first line of protection is your contract. The second line is your insurance.”

Ensuring the “words on the page” protect an organization is key, said Giovanni Care, New York-based assistant general counsel at Suffolk Contracting.

Suffolk seeks to “shift some of the risk associated with certain vendors and manage that risk in the form of the contract itself,” he said.

Doug Ware, Boston-based senior vice president of risk management at Suffolk, added the contractor will also review the insurance policies of its vendors to ensure they are aligned with contractual risk transfer obligations.

Sources said that while they are gaining ground on the challenge of vendor management, it requires additional and continued vigilance.

Mike Rastigue, Chicago-based vice president for cyber risk management at Aspen Insurance Holdings Ltd., said that, at times, “it often can be difficult to figure out exactly where your risk actually lies. It is not uncommon for a large enterprise organization to use thousands, maybe even 10,000 or 20,000 individual providers.”

Vendor management is an ongoing problem for policyholders and insurers, said Gavin Reed, Los Angeles-based head of underwriting for North America at Resilience Cyber Insurance Solutions Inc.

“The more things we connect to the internet, the more we digitize our business, the more this risk is increasing. It’s become more of a topic of conversation, I would say, just thinking about vendor risk,” he said.

While larger organizations are beginning to devote more resources toward vendor management, the process is not yet very mature, Mr. Rastigue said, with no standardized approach or leadership structure.

Setting expectations — letting vendors know what is expected and required of them — is an important step in managing vendor relationships, said Gwenn E. Cujdik, Exton, Pennsylvania-based manager-North America cyber incident response and cyber services for Axa XL, a unit of Axa SA.

Connected technology

Understanding interconnectivity, when it is and is not necessary to connect an organization’s network to that of a counterparty, is another key factor in establishing vendor relationships, Ms. Cujdik said.

“You want to avoid interconnectivity as much as possible. If you know there’s no reason to connect your network together, you shouldn’t be doing it,” she said. This helps prevent an incident from spreading to another network from its point of origin.

Should such integration of networks be necessary for the delivery of services, Ms. Cujdik recommends a “heightened process of due diligence” to assess that vendor’s cybersecurity and controls.

“You want to make sure that their company is as protected as your company, or more, so that due diligence becomes really important,” she said

The migration to cloud computing and software as a service business models has vastly increased the dependence on such web service providers along with risks associated with web hosting, Mr. Reed of Resilience said.

Organizations should consider whether their information is more secure with third-party technology companies or whether they should maintain it themselves, he said.

Continuity plans

Organizations should have business continuity plans that address vendor failure, Ms. Cujdik said. “You can contract as much as you want, but what you need to do internally is have a plan in place — if that (vendor) goes down, what can we do?” she said.

In some cases, such as in construction, organizations can turn to their primary contractors to help validate and manage subcontractors and indirect vendors, said Jon Tate, Atlanta-based head of core risk engineering for Zurich Resilience Solutions, a unit of Zurich Insurance Group Ltd.

“You have to have some faith and understanding in what your primary contact is doing to ensure that those subcontractors or suppliers are vetted the same way that you vetted your contractor, your first-party relationship,” Mr. Tate said.

“When you hire somebody on a lower tier, you’re also assessing their ability to manage risk, to manage their own supply chain,” said Craig Tappel, Nashville, Tennessee-based chief sales officer and practice leader, North American construction specialties practice, for Hub International Ltd.

Businesses should require their first-tier vendors to help manage second, third and subsequent tiers, Ms. Hall said.

“In some ways, we rely on subcontractors to manage that risk downstream,” said Suffolk’s Mr. Care.

Due diligence for prequalifying a vendor can take several months and vary depending on how well prepared a vendor is with relevant information, such as insurance details.

Vendor relationships should be managed with a view toward the total cost of taking on risk rather than on a lowest bid basis, Mr. Tappel said.

“We want people to slow down and think, ‘What’s the total cost, potential cost, including potential uninsured loss for things that can happen here?’” he said. “You can’t just look at it from a pure dollars-and-cents perspective because you’re taking on the risk of all these other people. You’re really responsible for everyone that you bring to a job.”

---

All sides should be involved in communicating counterparty risks

Including the right slate of stakeholders in the vendor management process and maintaining communications among them is key, experts say.

Such programs typically involve multiple employees from each counterparty, and the group will vary depending on the organizations and projects involved, they said.

“To be successful at vendor risk management, you have to have a cross-functional approach,” said Will Lehman, Bloomington, Indiana-based global director of risk management at Cook Group Inc. and a board director of the Risk & Insurance Management Society Inc. “Procurement, IT, legal, risk management, compliance … those are really the critical stakeholders that need to be involved in the topic,” he said.

Vendor management has become a multidepartment, holistic discipline that requires buy-in from senior executives, said Paul King, Dallas-based senior vice president, executive and professional risk solutions practice, for USI Insurance Services LLC.

“It’s going to involve multiple people from across multiple disciplines,” said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice.

An organization’s general counsel can address contractual requirements, and operations can review vendors, he said.

“Your risk manager is involved. Obviously, your IT is involved. Multiple people from your organization dealing with, perhaps, multiple people from the vendor’s organization,” Mr. Farley said.

Vendor management could involve the risk manager, chief financial officer, general counsel and chief operating officer, said Mike Rastigue, Chicago-based vice president for cyber risk management with Aspen Insurance Holdings Ltd.

“Very often, there will be a chief privacy officer who may be involved,” and an architectural review board to review any IT architecture related to vendor onboarding, he said.

Vendor management is a team effort, said Gwenn E. Cujdik, Exton, Pennsylvania-based manager-North America cyber incident response and cyber services for Axa XL, a unit of Axa SA.

“To do it right, you need to have your legal involved. You need to have your information and security teams involved,” as well as the risk manager on board to handle any questions or issues concerning risk transfer, and potentially compliance teams to address regulatory concerns.

“There’s a lot of dovetailing that occurs between the various departments to achieve full vendor management,” said Doug Ware, Boston-based senior vice president of risk management at general contractor Suffolk Construction Co.

At Suffolk, the preconstruction team, estimating group and operations team become involved in prequalifying vendors, including reviewing financial documents and safety records, said Chris Mahoney, Boston-based prequalification manager for Suffolk.

Mr. Lehman recommends using technology to augment human effort.

“Risk professionals should leverage advanced tools and platforms. There are some really slick technologies out there to help with vendor risk assessments, continuous monitoring, incident response, and a lot of these technologies involve automation,” he said.

---

Compliance, trade policies, tariffs create challenges in supply chain management

Macroeconomic factors such as regulation and trade policy can make managing vendors more difficult, from cyber operations to construction, experts say.

It can be challenging to ensure that all of an organization’s vendors comply properly with relevant regulations, such as data breach notification, said John Farley, managing director of Arthur J. Gallagher & Co.’s cyber practice.

“We’re seeing state law, international law, evolve as we speak, and organizations have data protection requirements and wrongful data collection standards that they have to comply with,” he said.

Failure to comply with data regulations may draw the attention or ire of regulators, “When that happens, the plaintiffs bar follows,” Mr. Farley said. “It’s a state issue, it’s a federal issue, and it’s an international issue.”

Politics and trade policy can also be factors in managing vendor relationships.

In its Political Risk Report 2025, Marsh LLC noted, “Many long-standing assumptions — such as the stability and security of trade flows, particularly between the U.S., China and other major trade partners, and the reliability of supply chains from specific regions, such as Southeast Asia — are increasingly in flux.”

The price of materials and services used in nonresidential construction rose 0.5% in February, following an increase of 0.7% in January, according to an analysis by the Associated General Contractors of America of government data, and prices are expected to rise further.

“Now that many tariffs that hit construction materials are in effect, with more measures pending, construction costs are likely to rise much more,” Ken Simonson, the association’s chief economist, said in a release.

“We have a resource in our legal department who has been examining the potential impacts tariffs could have on owners, subcontractors and general contractors,” said Doug Ware, Boston-based senior vice president of risk management at general contractor Suffolk Construction Co.

The fluid situation regarding trade policy and, specifically, tariffs can make it hard to manage costs and risks.

“How do you protect yourself or manage that exposure?” Mr. Ware said.