Blog Author: Thomas J. Canova Co-Founder, CMO – Modevity
Third-Party Vendor Risk Management (VRM) is an important part of the overall risk management landscape for enterprise organizations. Most corporations have thousands of suppliers: The fast-moving consumer goods company Proctor and Gamble states that it has over 75,000 suppliers.
These suppliers are responsible for everything from software to raw materials, components in the product supply chain to vital infrastructure needs.
Your company’s security, operations and reputation are only as good as its weakest link, so it’s vital to ensure that all of your suppliers are held to high standards and thoroughly vetted, risk rated monitored regularly for adherence to company and regulatory compliance.
Third-Party Risk Categories
Third-Party Vendor Risks Fall into a Range of Categories:
· Compliance Risk: It’s important to ensure that any regulatory requirements that your organization needs to abide by such as data storage policies and varied regulations related to any part of your business that the vendor handle are also supported by your vendors.
· Cybersecurity Risk: How robust and secure is the cybersecurity defense capabilities of your vendors? A cyber security data breach can leave your company proprietary or customer data at risk, so it’s essential to make sure that each vendor has strict cybersecurity procedures in place to minimize the likelihood and outcome of a security breach. A strong cyber security strategy is to hold each vendor to the standards that your organization has in place.
· Financial Risk: Is a vendor on an unstable financial position? Is the vendor likely to become financially insolvent or go out of business? This can certainly impact your company significantly by causing an unexpected operational disruption, or a break in your supply chain. This could mean that your organization wouldn’t be able to fulfill its contractual obligations to customers, causing a loss of revenue and certainly harm your reputation.
· Operational Risk: How likely is it that the vendor wouldn’t be able to fulfill their contractual commitments to your organization? If this happened, how would it impact your organizational operations? Make sure that you are aware of your vendors’ business continuity plans, and that your business has its own continuity plan.
· Reputational Risk: Any adverse event and incident around a vendor can also impact your organization’s reputation. This covers a wide range of adverse incidents, which could include violations of laws or regulations, loss of customer data due to negligence or data breach, or questionable behavior or controversial statements by Executive leaders.
· Strategic Risk: Do the vendors’ decisions align with your own organization’s strategic objectives? This might include decisions around technology use, competitors, or even ethical questions. Make sure that your organization has a thorough understanding of your vendors’ values and long-term plans to ensure they work with yours.
A Vendor Risk Checklist
A VRM checklist might include items such as:
· Review each vendor’s contracts and policies to check for compliance issues with your own standard policies and industry requirements, and ask for accommodations if necessary
· Conduct an audit of what types of employee or customer data each vendor needs access to, and make sure that their access is limited to that scope
· Review each vendor’s cybersecurity policies and procedures and determine whether they comply with industry requirements and your own organization’s guidelines
· Evaluate the level of potential harm to your organization or customers in the event of a breach via a vendor, and determine whether mitigation strategies may be necessary
· Review each vendor’s incident response plan
· Evaluate each vendor’s business continuity plan
· Evaluate and monitor each vendor for credit risk, financial health, and bankruptcy filings
Manually managing vendor risk
In many organizations, compliance managers would likely go through a line-by-line inventory of vendor compliance requirements. They would also provide assessment questionnaires and conduct interviews with vendors to determine whether their policies are in line with the organization’s policies and often conduct on-site audits to assess the work environment of critical vendors. This process is time-consuming and can be problematic, and it often results in duplication of work, as employees from different departments may conduct similar audits without sharing information.
In addition, responses often can’t always be reliable: A recent Supply Chain Survey found that only 14% of risk practitioners trusted that third parties’ security precautions matched the self-reported responses from their questionnaires. In fact, 31% of respondents said they had vendors that they considered a material risk in the event of a breach.
With a manual process, most VRM is done for the most part during the onboarding stage and then at timed intervals, which may only be quarterly or once a year. Apart from these occasions, your organization may have no visibility regarding changes to your vendors’ technology, financial performance, or business strategy. When manual processes are used, there’s a lack of visibility into the ongoing status of your vendors’ compliance and other risk factors that may leave your own organization vulnerable.
Implementing an Automated VRM Process
Many forward-looking organizations are moving to a VRM process that’s driven by artificial intelligence and automation. Implementing an automated VRM process will substantially reduce the amount of manual labor required by your team, and provide opportunities to partake in continuous monitoring, enabling you to identify vendor risks early. This way, you can develop a risk mitigation approach before they cause potential damage to your organization.
An automated VRM solution should:
· Pre-qualify and On-Board Vendors – A high-quality solution should integrate data that checks a prospective vendor’s security performance before you commit to working with them, so you can rule out those with security concerns.
· Classify vendors According to Risk Level – Although only certain vendors will need access to proprietary data or touch your company’s’ infrastructure, this subset of vendors requires careful monitoring. Your solution should identify these vendors on your behalf.
· Implement a Vendor Assessment Solution to automate vendor questionnaires and responses.
· Implement a robust Vendor Risk Scoring and Risk Rating System at your organization to get vital background due diligence data of vendors in your supply chain.
· Implement an automated Vendor Risk Rating Monitoring solution to get any updates and changes to Red Flags of Criminal Records, Sanctions, PEPs, Lawsuits, Judgments, Liens, Bankruptcies, etc.
By implementing an automated VRM solution, your company drastically reduce the manual and repetitive work to track Risk and Compliance and gain access to real-time data that will help you determine when risk levels are elevated for any vendor. Moving to an automated system will help you move beyond mere compliance into continuous Vendor Risk Rating, Vetting Monitoring, providing your organization the vendor data intelligence, it needs to detect varied risks early and to mitigate them quickly. With an intelligent, automated VRM solution, your organization will be able to streamline and enhance its overall Third-Party Vendor Risk Program.
Modevity – Experts in Third-Party Vendor Risk Management Services & Investigative Due Diligence Reporting Modevity is headquartered in West Chester, PA. Find out more at www.modevity.com