Run: Vendor Risk Management Policy

This policy establishes a consistent process for identifying, assessing, approving, contracting with, monitoring, and offboarding third-party vendors. The goal is to reduce operational, security, privacy, compliance, financial, and reputational risk while supporting business needs and applicable legal obligations.

This policy applies to all employees, contractors, and business units that engage, manage, renew, or terminate third-party vendors. It applies to vendors that access company systems, process company data, interact with employees or customers, support regulated activities, or provide critical business services. California employees: vendor arrangements involving personal information must also be reviewed for CCPA/CPRA obligations. If a vendor supports employee-facing processes, HR must confirm the arrangement does not interfere with employee rights under the NLRA, FLSA, FMLA, ADA, or EEOC-related obligations.

Key terms used in this policy are defined in the Definitions section of the template data. Additional terms: - **Inherent Risk**: The risk posed by a vendor before controls are applied. - **Residual Risk**: The risk remaining after controls and contractual safeguards are considered. - **Subprocessor**: A third party engaged by a vendor to process company data. - **Interactive Process**: The good-faith, documented process used to evaluate and implement reasonable accommodation requests when vendor-supported workflows affect employees with disabilities.

No vendor may be engaged, renewed, or materially expanded without completing the required due diligence and receiving approval from the designated business owner and control functions based on the vendor's risk rating. Vendor risk decisions must be made in good faith, documented, and based on the nature of the service, data involved, access required, legal obligations, and business criticality. Vendors that process sensitive personal data, employee data, payment data, confidential information, or regulated data require enhanced review and contractual safeguards.

Before onboarding a vendor, the business owner must submit a request that includes the service description, business justification, data classification, system access needs, geographic scope, subcontractors, and expected term. Procurement, Legal, Information Security, Privacy, and Finance must complete reviews appropriate to the vendor's risk level. Minimum review steps: 1. Confirm business need and alternatives considered. 2. Assess inherent risk based on data sensitivity, access, criticality, and geography. 3. Perform due diligence, which may include security questionnaires, SOC 2 reports, penetration test summaries, financial stability review, insurance review, sanctions screening, and reference checks. 4. Determine whether the vendor will process personal data, employee data, or confidential information and whether a DPA, confidentiality terms, or cross-border transfer terms are required. 5. Assign a risk rating and document approval, conditional approval, or rejection. 6. Obtain written approval from the designated approvers before contract execution or system access is granted. High-risk vendors require documented approval from Information Security, Legal, Privacy, and the executive sponsor or delegate. Vendors that support HR, payroll, benefits, leave administration, or workforce monitoring must be reviewed for compliance with wage-and-hour, leave, anti-discrimination, and privacy obligations.

All approved vendor contracts must include, as applicable: scope of services, confidentiality obligations, data use limitations, security controls, incident notification timelines, audit rights, subcontractor approval requirements, retention and deletion obligations, business continuity commitments, insurance requirements, service levels, and termination assistance. Where personal data is involved, contracts must include appropriate privacy terms, including a DPA and cross-border transfer safeguards where required. Where employee data is involved, contracts must require the vendor to support compliance with applicable EEOC, FLSA, FMLA, ADA, and NLRA obligations and to notify the company of any request, complaint, or legal process affecting such data. California employees: contracts involving personal information must address CCPA/CPRA service provider or contractor restrictions as applicable.

Vendor risk is not a one-time review. Business owners must monitor vendor performance and risk throughout the relationship. Monitoring frequency must be based on risk rating, with at least annual reassessment for all active vendors and more frequent review for high-risk or critical vendors. Monitoring activities may include: - Review of security attestations, audit reports, and remediation status - Tracking of service levels, incidents, and complaints - Review of changes in ownership, subcontractors, data use, geography, or financial condition - Reassessment after material incidents, contract renewals, or scope changes - Verification that required controls remain in place Any material adverse change must be escalated promptly to Procurement, Legal, Information Security, and the business owner.

**Business Owner / Policy Holder**: Initiates vendor requests, documents business need, monitors performance, and ensures ongoing compliance. **Procurement**: Coordinates intake, maintains vendor records, and ensures required reviews are completed before engagement. **Information Security**: Reviews technical and security controls, evaluates security risk, and approves security exceptions when permitted. **Legal**: Reviews contract terms, liability, confidentiality, regulatory obligations, and dispute or enforcement issues. **Privacy**: Reviews personal data processing, transfer mechanisms, retention, and privacy notices where applicable. **Finance**: Reviews financial viability, payment terms, and insurance requirements. **HR**: Reviews vendors handling employee data or workforce-related services to ensure alignment with EEOC, FLSA, FMLA, ADA, and NLRA obligations. **Executive Sponsor**: Approves high-risk or critical vendor engagements and accepts residual risk when required.

Failure to follow this policy may result in delayed onboarding, suspension of vendor access, contract rejection, or termination of the vendor relationship. Employees who bypass required reviews, approve vendors outside their authority, or fail to escalate material risks may be subject to corrective action, up to and including termination of employment, consistent with applicable law and company policy. Exceptions must be documented, time-limited, approved by the appropriate control owner, and include compensating controls and an expiration date. Any exception involving employee data, regulated data, or critical services requires Legal and Information Security approval.

This policy will be reviewed at least annually and updated as needed to reflect changes in law, business operations, vendor risk practices, and security or privacy requirements. The policy holder is responsible for maintaining the current version, documenting revisions, and communicating material changes to affected stakeholders.