It’s no news to CISOs, Chief Compliance Officers, Procurement Officers, GCs, and other key stakeholders in vendor management programs that third parties today represent one of the greatest risks to organizations. Nor is it news that that the focus on vendor risk management is only increasing as regulators across a broad spectrum of industries and geographies continue to tout the importance of 1) managing risk throughout the vendor lifecycle, and 2) taking a risk-based approach to focusing due diligence efforts on those business partners who represent the most risk. Consider just the following samplings of recent regulatory guidance:
- OCC Guidance: “Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle…a bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships”
- Ministry of Justice Guidance on UKBA: “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks…as this guidance emphasises throughout, due diligence procedures should be proportionate to the identified risk.”
- DOJ/SEC Guidance on FCPA: “Risk-based due diligence is particularly important with third parties and will also be considered by DOJ and SEC in assessing the effectiveness of a company’s compliance program”
WHAT’S MISSING FROM THE VENDOR RISK EQUATION?
In response to this well-known trend, it’s also no surprise that solution providers have recently inundated the market with a vast offering of content and tools to help organizations implement and streamline this risk-based approach. The problem that all of these solutions fail to address, however, is that there are two distinct yet equally critical components of the vendor risk equation, and no solution has managed to effectively account for both of them.
First, there’s the assessment of an organization’s relationship with a given vendor. This is the subjective, context-sensitive assessment of the risks posed by various aspects of your organization’s engagement vendor. There are many solutions in the marketplace that address this side of the equation, providing tools for assessing the criticality the vendor plays in supporting key business operations, or in assessing the criticality of the data that the vendor will access as part of the relationship, for example.
Second, there’s the assessment of the risk posed just by the vendor in and of itself. Does the entity or any of its principals appear on watchlists or in adverse media? Is the entity suffering from financial stress that could jeopardize its viability or lead its employees to engage in various forms of misconduct? Does the entity’s address seem to keep changing for no apparently above-board reason?
SOLVING FOR THE MISSING VALUE
It is the combination of these two risk perspectives, (subjective, context-sensitive criticality measures plus objective, independent risk factors), rather than either in isolation, that should be driving a risk-based approach to vendor management.
Consider the following scenario. I have resources available to perform audits against 50 vendors this quarter. PCI compliance has been identified is a top concern, and I know from my vendor assessment tool that I have 100 vendors that are storing credit card information. I also know based on a vendor risk content subscription that I have another 100 vendors in my portfolio that pose a significant viability risk in the next year. How, then, can I bring this information together in meaningful way that allows me to assess the overlap between these two vendor populations (i.e. the set that poses the greatest combined risk) so that I can target my audits appropriately? Moreover, what happens when I begin introduce additional risk factors that might come from yet other disparate sources (e.g. I have another 100 vendors where there are potential watch list screening issues, and another 20 that have recently relocated to high risk geographies)?
Clearly, any sufficiently sound and complete calculation of vendor risk must be one that marries all of the objective risk intelligence I have available about the vendors themselves with the subjective intelligence that my vendor management team has painstakingly gathered about my organization’s unique engagement with that vendor. What vendor managers need is a tool that manages the assessment of relationships while also pulling in objectively sourced, relationship-independent information such as company verification data, financial risk, compliance screening, liens, judgments, lawsuits, and other public records, etc. Without these two critical components of the vendor risk equation, it’s hard to imagine how the value of any vendor management program could ever add up.