Establishing a vendor risk management program doesn’t happen overnight, and it certainly doesn’t happen by accident. Thorough planning, attention to detail, and intelligent use of feedback mechanisms are all integral pieces of the puzzle, but where do you start? And more importantly, how can you leverage those pieces to successfully manage vendor risk and support a key component of your whole enterprise risk management system?
Understanding the Why
First and foremost, your entire company must realize that they are responsible for some level of risk management, even if they seemingly have no impact on the vendor lifecycle. Cutting costs in the quest for profit maximization has led to prolific levels of third and fourth-party vendors who are responsible for the critical data of others. If that wasn’t cause enough for concern, a KPMG study in 2022 revealed that an astonishing 73% of businesses suffered at least “one significant disruption” that a third party caused over the preceding 36 months.
Buy-in from the top down is needed to ensure that the appropriate level of commitment is fostered throughout all segments of your enterprise. An unconcerned board can show that due diligence is just a formality, leaving the door open to potentially devastating financial and reputational consequences of a cyber attack or data breach.
The Critical Nature of Planning
A structured and well-planned VRMvrm program requires a solid foundation. The security posture of your business and its risk appetite are two components that will inform your overall risk management framework and the ensuing policies. Creating governance documents that outline accountability, KPIs, and a general framework for your entire program will set you firmly on the success path. This underlying structure makes it clear where responsibilities lay, guides workflow, and should codify the risks that your agency finds palatable and unacceptable.
This is the perfect opportunity to loop in other verticals within your company to find where their security and risk concerns are and how the risk management team can better evaluate vendors applicable to those specific spheres. Emphasizing the need for effective risk assessment that includes an analysis of the vendor’s criticality to your business continuity is also something that should take place in the planning stage.
Determining what security standards apply to certain vendors will also help you organize your vendors by service level, whether HIPAA, PCI DSS, ISO, NIST, or other standards. This is also the time to divide some responsibilities properly. You don’t want your teams operating in their own bubbles, but you should have separate employees working in risk management/compliance and internal auditing. The checks and balances that this provides will alleviate some concerns of potentially missing key details while at the same time adding an additional layer of protection against internal fraud.
Break Down Your Work Into Smaller Components
As we just mentioned, risk assessments should be tailored to the vendor at least by service level, but they must also include a metric to measure critical vendors that may otherwise slip by as low risk. The risk assessment stage doesn’t have to be a pass or fail measurement; it shouldn’t be. This is where thorough knowledge of enterprise risk appetite comes into play. In this pre-contracting phase, you can detail specific changes that the vendor would require for their proposal to be accepted. It’s a time when two companies can find a profitable middle ground by having open lines of communication, and it fosters a sense of goodwill with a corporation you hope to have a solid relationship with.
Contracting Concerns
Contracting is likely the second biggest area of importance when establishing a vendor risk management program that is truly effective. Building contractual support for your due diligence activity like a review of financial statements, on-site inspections, or incident response leaves you with the solid legal ground to stand on should a security incident occur. It also provides you with the opportunity to codify your negotiation, review, and approval process.
Even your existing vendors should review their contracts to verify that these items of importance are properly addressed. This is also a great place to include KPIs, when they will be assessed, consequences for not meeting them, and other continuous monitoring concerns. This lets your vendors know that you take your security controls seriously, and you expect the same from them. Not to mention that risk mitigation in your service level agreements benefits all parties in the long term.
Detailed Risk Assessments
We’ve laid out a rather broad overview of the important segments of the vendor risk management lifecycle. When it comes to beginning the process of assessing a vendor, where do you begin? The most common area to start is cybersecurity risk, which is exactly what we recommend. While there are a host of privacy, legal, reputational, and financial risks, a vast majority of those can be uncovered by an assessment of the information security risk posed by the relationship.
You should leverage third-party security scorecards or reputational scores to your advantage and ensure that those vendors with access to your sensitive data have been identified and subject to a higher level of due diligence and continuous monitoring. This is also true for third and fourth-party vendors that will have access to any of your networks. Remember that the massive Target data breach of 2014 was perpetrated by compromising the credentials of a store’s HVAC contractor.
Where Flexibility Comes Into Play
It may seem counterintuitive that we’re going to recommend a fair amount of flexibility within your vendor risk management program, but it plays a significant role. While some control frameworks leave little flexibility, it’s important to note that a blanket approach to risk mitigation is likely to fail and even more likely to miss key aspects when managing vendor risk.
A good place to start is to look at the control environments your entity is subject to, compare that to the security controls in place within your vendors (both prospective and current), and then conduct a gap analysis to assess areas of concern. This allows the negotiation, as mentioned earlier, to close the gaps detected between the controls and better protect both parties. It may simply be that more frequent reassessments are necessary, or it may mean that semi-annual inspections need to take place and anything in between.
Risk Management Tools and Automation
Suppose you have properly conducted your planning, risk appetite analysis, and vendor categorization. In that case, it’s likely that you now have a long list of third parties who need scheduled risk assessment, due diligence, contract management, and other reoccurring tasks. This is where the selection of a quality risk management program comes into play.
I’ve seen it frequently recommended to select your program first and then tailor your risk management activities to your chosen VRM program, and I strongly disagree. As an entity, you and your stakeholders should come together and determine the direction your risk management activities will take. Once you have built out the framework of your third-party management, only then can you truly see where applications or automation can assist you without compromising your concerns.
Automating the redundant and repetitive tasks within your vendor management plan will allow your employees to use their skills where they can be more effective than compiling routine reports and tracking contracting dates. You can task your program with collecting RFPs, distributing and receiving questionnaires, tracking contract renewal dates, cataloging submitted reports and generating exception reports. Flagging outlying data routinely scanned by the system also presents an opportunity to apply machine learning to make your VRM program even better at detecting trends outside the norm and forwarding the data for human review.
Leveraging Additional Vendors
Establishing a vendor risk management program doesn’t have to be solely an internal task. We mentioned tracking security scorecard ratings earlier as a way to assess some of the risks presented by a vendor. Combined with reputational scores and other metrics, these ratings can provide a lot of insight into your prospective vendor's standing among other third parties. There are various subscription services that you can purchase that provide access to ratings of this nature and also provide real-time updating and event notifications for noteworthy incidents.
You can outsource some or all of your third-party risk management to a vendor. The advantage lies in that you are utilizing industry experts to conduct various tasks on your behalf. This can be used by small businesses to contract out the VRM process wholly or by large businesses as a force multiplier, leaving other tasks to their internal risk management personnel. At Venture Risk Management, we offer various services, including active cyber risk monitoring, due diligence and performance reports, and even supply chain Nth party monitoring. Contact us today to see what custom options we can offer your business to better manage your specific risks.