By Chris Murphey
Here’s a startling statistic from a recent Rsam survey: 50 percent of companies assess only 15 percent of their vendors. It’s clear that many of us are playing a dangerous game of chicken with the regulations and regulators who are scrutinizing our industries and operations, leaving an ever-widening risk gap.
Fortunately, there is a growing body of thought leadership and evolving technology to help improve your vendor risk management programs to tackle the challenge from three key angles: performance, risk, and relationship. It is possible to source and use service providers and IT suppliers without incurring unacceptable potential for an event, a business disruption or a negative impact on business performance.
We get it. This gap doesn’t exist because you’re unaware of the risks of better vendor management. It can be hard to do all that is needed with the all-too-common tight constraints on resources. However, a well-designed and center-led vendor governance program can help to alleviate that burden. By embedding a top-down, bottoms-up and continuous improvement methodology you can avoid the constraints of a silo-based operation. You can set the stage for a journey that will allow your organization to live free from fear of a fine or a censuring.
Starting the Vendor Risk Management Journey
Many VRM journeys start with an event like a security breach traced back to the vendor. It becomes a priority for the organization, your team receives the funding it needs to implement a program, and suddenly it’s time to get started and create a vendor risk management checklist . If you’re in this situation now, the first thing to keep in mind is you shouldn’t try to create your vendor risk management program in a vacuum.
Don’t try to develop a vendor governance policy and implement your vendor governance efforts alone. Instead, assemble the relevant stakeholders from areas like the procurement, compliance, legal, information security, privacy and operations teams.
A good approach is to set up a 15-minute meeting with director levels or above from all governance or compliance roles in your organization. Ask them:
- Do you have a stake in knowing or ensuring our vendors provide safe, compliant, and productive services?
- Are there any regulations or company policies that our vendors need to comply with in regards to your area of responsibility?
Their answers will help guide you to a better understanding of how important it is to involve them in the VRM journey. There may be areas of 3rd party compliance that are specific to your industry or geography like ffiec vendor management and the New York State DFS Cybersecurity regulations.
Ongoing Management of Your Vendor Risk Management Program
When your vendor risk management program is up and running, your work has really just begun. You’ll need to continually monitor your program to validate its completeness, which involves:
- Using the “Three Lines of Defense” as a guide for validation. We’ll unpack these three lines and their importance to VRM in a subsequent blog entry.
- Maintaining a governance body of experts or stakeholders who will serve to monitor compliance with and updates to a vendor governance policy.
- Keeping your compliance officer engaged to head off any changes or evolutions to relevant regulations.
You should also inventory your vendors to manage their demographic and classification information, and design and implement a data management system to avoid the dreaded “garbage in, garbage out” scenario. Contractually obligate your vendors to report information about the relationships they have with their own vendors (i.e., fourth-party relationships). Ensure your vendor governance policy has a consistent and achievable set of rules for assessments and on-site reviews. Review authoritative and regulatory rules and guidance from other industries for inspiration on vendor risk management best practices .
Next Steps in the Vendor Risk Management Journey
Once you have the right vendor risk management program in place, your next step is to choose a system or tool with the capabilities to handle the vendor risk management journey over the long haul. Or you can choose a tool provider that brings proven experience, solutions and roadmaps to the table to guide or accelerate this journey. We’ll dive more into those options in subsequent articles, as well as how the programmatic combination of the right people, the right process and the right technology will allow for effective and efficient vendor governance.
The goal should be to achieve a state of defensible vendor governance through an effective and efficient program, not to manage vendor risk. You’ll achieve the latter if you change your mentality about the former.