You Struggle with IT Vendor Risk Management (But You Don’t Know Why)

By Chris Murphey

Taking a step back and reframing a problem can sometimes shed new light on the solution. Most organizations struggle with vendor risk management and despite working hard to make it better, it’s a continual challenge. One way to reframe it is to think about vendor risk management and your life outside of work.

In your personal life, you pay many different third parties to provide you with a particular service. Your kid’s after-school sports program, your favorite golf course where you hit a bucket of balls after work, the gym where you work out consistently (or maybe not so consistently), or the grocery store you stop at for a quart of milk. 

Now imagine if instead of paying each of these vendors for a service, you had to evaluate each of them personally. Have all of the coaches had a background check? What kind of pesticides did they use on the fairways? Is the gym equipment maintained regularly? Was the cow that gave me this milk treated ethically?

You’d be crippled by the complexity of those evaluations and the time it takes to complete them. You’d never get anything done since you’d be in a near-constant state of vetting and managing the services that make your world go round.

In many ways, this scenario is exactly what is playing out in your organization’s vendor risk management efforts, and it’s why you’re not alone if you’re struggling. 

According to a recent study by Deloitte, 94.3 percent of executives have low to moderate confidence in their third-party risk management tools and technology, and 88.6 percent have low to moderate confidence in the quality of the underlying risk management processes.

What are the real challenges of IT Vendor Risk Management?

Most CISOs and their teams mistakenly think that managing the administration of the VRM program is where the challenges lie. It’s not. In reality, it gets hard because when you hire vendors, you’re trying to extend the operations of your business to another company.

How many times have you asked a vendor, “Can you give us your SOC 2 Type 2 (or, replace with your favorite… ISO 27001, HITRUST, FISMA High, etc.)?” And how many times have you asked for a level of certification beyond what your organization has itself? 

Chasing a standard that you yourself may not have enacted is why IT Vendor Risk Management is so challenging. You’re forcing your organization to manage all of the minutiae of another organization, and it’s just as disruptive to your momentum as it would be if you personally managed your kid’s soccer team, the golf course, gym and grocery store.

Instead, you should be approaching your vendors from a shared governance perspective, which you’ll be familiar with if you’ve spent time in healthcare or higher education. And if you haven’t, it’s basically a concept about creating accountability for a system on both sides of the equation—in this case, managing risk in your organization and your vendor’s.

This shared responsibility is exactly how we keep things moving in our personal lives. You know the organization that runs your kid’s soccer team does background checks on coaches. If the law changes and those checks need to be done more frequently, it’s in the organization’s best interest (and your child’s) to comply with those changes so they keep parents happy and ensure they keep coming back season after season. You check once that these measures are in place when you sign up, and the organization does the rest. In essence, it’s automated.

A GRC platform helps create the same type of shared governance between your organization and your vendors by automating compliance and enabling continuous controls monitoring. Instead of extending your operations to other organizations to manage your risk with these vendors or struggling to monitor regulatory change, the platform does it for you. 

And that is what allows you to focus your energy on the business at hand, instead of the complexities of IT Vendor Risk Management.