Policy, Program and Procedures

Hello everyone.

I am working on our policy/procedure documentation review, and I am adding a section to cover what we consider to be in and out of scope for our program. I have been looking over Venminder's resources and checking previous posts on this platform and have a question about organizations that receive sponsorships or donations from another organization. I know that this is subjective, and organizations will determine on their own what would need to be in scope, but I would like to have a better understanding as to why these third parties are considered out of scope more than in scope. 

There could be some risks in sponsoring or donating to other organizations. This may be worst case scenario thinking, but I mainly work in cybersecurity, so I tend to think that way. If nothing else, there could be a reputation risk with this. What if the organization is involved in something illegal or unacceptable? What if they are scamming donors or sponsors? And that also involves a financial risk if they are basically stealing the money.

Why are third party recipients of donations and sponsorships typically excluded?

Good afternoon.

Charitable organizations that receive donations or sponsorships from a company are often governed by the company's Charitable Giving Policy rather than its Vendor Management Policy. This distinction is primarily because these entities are not delivering goods or services in a traditional vendor capacity but are instead beneficiaries of philanthropic or community support initiatives.

Typically, a company's Charitable Giving Policy includes its own vetting processes to ensure due diligence before engaging with these organizations. These vetting processes may involve:

1. Reputation and Historical Review: Assessing the organization's track record, public perception, and alignment with the company's values.
2. Audited Financial Statements: Evaluating financial transparency and the responsible use of funds.
3. Background Checks: Conducting thorough checks on the organization's leaders or key personnel.
4. Volunteer or Leadership Interviews: Gaining insight into the organization's operations and integrity through direct interactions.
5. Online Presence Assessment: Reviewing websites, social media, and third-party ratings to verify credibility.
6. IRS Validation: Confirming tax-exempt status (e.g., 501(c)(3) designation) and compliance with relevant regulations.
7. Impact Reporting: Ensuring the organization has mechanisms to report on how donations are used and their outcomes.

While charitable organizations may not be subjected to the same level of scrutiny as traditional vendors under a Vendor Management Program, there is still an opportunity to create alignment between the two policies. Companies can include a clause in their Vendor Management Policy referencing the Charitable Giving Policy, which outlines the separate but robust due diligence process applied to these entities.

It's important to note that practices may vary between organizations. Some companies may choose to integrate charitable organizations into their vendor management program, especially if significant funds or reputational risks are involved. However, in my experience, charitable entities are typically reviewed separately under policies designed specifically for philanthropic activities.

If you believe additional oversight is warranted, consider collaborating with your company's charitable giving or corporate social responsibility team to ensure the most appropriate review and accountability measures are in place. 

I'd love to hear if members have other perspectives and thoughts on this topic.