A few thoughts on Vendor Risk – One of the key problem areas of enterprise risk management is vendor risk. Managing hundreds to thousands of vendors, suppliers, outsourcers and other third-party relationships is difficult in the best of financial times. With shrinking budgets and fewer staff, how can vendor risk management be performed correctly?
These same shrinking budgets are forcing more companies to cut costs by outsourcing critical processes and systems containing confidential information. This makes the challenge of managing vendor risk and compliance even more difficult.
Business and regulatory mandates are pressuring C-level officers to focus on compliance and privacy requirements. This detracts resources from business operations and revenue generation. Moreover, the lack of standards or acceptable metrics to assess risk serves as a constant distraction for vendors completing multiple audits for their clients. Sometimes these audits are performed hundreds of times per year, costing the vendor time, money and the opportunity cost of not applying human capital to other projects.
Many organisations are not able to adequately defend their selection of vendors or the ongoing use of those vendors. The mere task of performing due diligence and risk modelling on vendors is cost prohibitive and beyond the ability of most organisations.
Establishing a vendor risk management programme is a challenging undertaking. The process increases in complexity because of the large number of participants from the enterprise (e.g. procurement, information and physical security, legal and regulatory compliance) and the vendor (e.g. sales, security, information technology, legal and human resources).
Seven Steps to Vendor Risk Management:
These seven steps are key for establishing a cost-effective vendor risk management program: –
1. Corporate Governance:
The place to start is with a strong internal governance system and policies. Establishing a corporate-wide policy creates a solid foundation for the program. It is required before you can get all the organisations within the business to participate.
2. Vendor Contracts:
Contracts are the starting point from a vendor management perspective. Getting the necessary terms and conditions agreed upon is imperative from the beginning of the relationship. Key areas of consideration are “right to audit” and “security requirements”.
3. Risk Assessments:
There are three components of a complete vendor risk assessment: relationship risk, business profile risk and control risk. To perform due diligence, it is necessary to know what to review and what evidence to gather. When performing a risk assessment, there are a number of high-risk controls to measure, and certain red flags that will alert the auditor to problems.
4. Remote Audit:
Remote Audit or put simply the use of a questionnaire to gather key information about your vendor is an essential first step in the evidence gathering process. However there are pitfalls here, as this is a resource hungry process and the results can be varied.
5. Onsite Audit:
The key to an effective on-site audit is being prepared. Establish an audit plan that focuses the due diligence effort on critical areas that will result in correctable high impact findings. Watch for “red flags” that may indicate possible problems within the vendor’s environment.
Concise audit results are critical in providing guidance for the different areas within the organisation to review (e.g. procurement, legal and security). The organisation should review the risks identified in the report and require the vendor to correct areas of weak control to be in compliance with organisational requirements.
7. Risk Monitoring:
Ongoing risk monitoring or Continuous Monitoring is required to keep abreast of any significant changes to your vendor’s environment. Key areas to monitor include the company’s financial health, business continuity plans and security controls. A sudden change in any of these areas could significantly increase the risk the vendor poses to the organisation.