Start with a risk assessment.
A risk assessment is a means of identifying the risks that your business faces and assessing the likelihood of them occurring. It also involves determining the controls you currently have in place to manage those risks, as well as whether or not any additional controls are necessary.
When you are considering if your contractors are a compliance risk, look at their role, responsibility, applicable regulatory penalties and existing controls. We’ve looked at the need for more comprehensive risk assessments in previous posts, if you don’t have sufficient resources to conduct such an assessment consider hiring a third party to do so.
The formality of the controls should depend on the risks.
There are no hard and fast rules. You should design controls to achieve your goal and they should be proportional to the risks. Similarly, they should be sufficient to mitigate the risks to an acceptable level, but no more than that.
For example, if you are procuring a supplier who has complete access to your production system and is therefore a high risk, you will need proportionately high controls in place. In this case, the control would include stringent checks on their security standards, a detailed and robust contract that covers confidentiality provisions and clear procedures for how they behave whilst working on your site.
Ensure compliance with law, regulations, and specific controls.
To ensure compliance with law, regulations, and specific controls:
- Select the right contractors to be the most compliant.
- Provide training on the law, regulations, and specific controls.
- Ensure that contracts clearly state your expectations regarding compliance with law, regulations, and specific controls.
- Monitor compliance with plans as work progresses.
Give clear instructions, expectations, and responsibilities.
Make sure that your contractors understand what is expected of them. They should know what is permissible and what is not, as well as who to contact if they have any questions or concerns. A contractor shouldn’t be forced to guess if something is unclear or off-limits.
Provide sufficient training and supervision.
You’re responsible for ensuring that contractors receive sufficient training and supervision. The level of training and supervision they need should be determined by the type of work they’re doing and their skill level.
Maintain oversight throughout the contract period.
Maintain oversight throughout the contract period.
This is more than just a matter of signing off on monthly invoices. It means regularly checking in with the contractor to ensure that things are running smoothly and that no problems are being ignored.
If contractors have genuine concerns about your requirements, don’t ignore them. If you do, you won’t gain any advantage from their expertise and skills; in fact, you may cause them problems and set yourself up for failure.
Periodically audit and evaluate contractor practices.
- Periodically audit and evaluate your contractors’ practices. Contractor compliance can be ensured in a number of ways, such as internal audits, third-party audits, work product audits, process and facility audits.
- Frequently audit the contractor’s work product. This is the simplest way to ensure that the contractor is complying with your operating policies. Of course, this is not always possible or practical–in some cases you might have to rely on implicit deferred trust (which we’ll discuss below), but in many cases you can request a review of the contractor’s deliverables at regular intervals to make sure they’re meeting your specifications.
- Hire a third party auditor if possible. It’s better to leave auditing up to an independent expert rather than doing it yourself–you don’t want any potential bias against contractors affecting how they’re assessed
Follow up with remediation when necessary.
It’s important to follow up quickly with any contractors who are non-compliant, and to take steps that protect against non-compliance in the future.
Know your contractors as well as you know your employees who work for you
You [should] know your contractors as well as you know your employees who work for you…
In many cases, contractors are an extension of your business. They can bring their own risks, vulnerabilities, and threat actors. Therefore, they can introduce new risks and vulnerabilities and new threat actors along with that. In addition to that, they can introduce new compliance obligations and requirements. So we have to be aware of all of this when we’re looking at our compliance process…
Compliance isn’t just about the technology it’s about the people, it’s about the processes and procedures behind it (the ins-and-outs) that helps make a successful compliance program…
