November 23rd, 2020 •
Kimberley Allan • Reading Time: 5minutes
In today’s dynamic operating environment – where significant new challenges emerge on a frequent basis – vendor risk management is getting more attention than ever before from the regulators, senior management, and the board of directors. In recent years vendor risk events have disrupted supply chains, caused IT meltdowns, resulted in data privacy breaches, and impacted organizations in many other ways. In short, poor vendor risk management can – and regularly does – prevent organizations from achieving their strategic goals, including delivering business value.
This blog explores the 5 “W’s” of vendor risk management, to provide a richer understanding of the benefits of vendor risk management for organizations. It’s necessary to be able to articulate these 5 “W’s” clearly so that stakeholders across the entire enterprise engage proactively with vendor risk management and are supportive of that team’s work.
Why is vendor risk management important? How is vendor risk management similar to third-party risk management?
Gartner defines vendor risk management as, “the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.” Vendor risk management specifically focuses on managing the risks the organization faces within the relationships it has with its vendors.
Third-party risk management takes the discipline of vendor risk management and applies it more broadly. Third-party risk management encompasses all of the third parties that an organization engages with, which includes direct and indirect suppliers, partners, agents, consultants, and government agencies. Therefore, vendor risk management is often thought of as a subset of third-party risk management, and in today’s digital environment, vendor risk management could be considered to be a critical element of third-party risk management.
What does a mature vendor risk management program look like?
Vendor risk management programs go through developmental stages. The least mature programs are Ad-hoc, where there are no defined processes, roles and responsibilities, and a reliance on manual processes, through Fragmented, Defined, and then to the more mature stages of Integrated and Agile. At the Integrated stage, organizations will have a framework – complete with policies and processes in place for managing risk and compliance within third-party relationships – which the organization adheres to across teams and departments.
The organization’s approach to vendor risk management will be fully integrated with day-to-day business as usual (BAU) activities. At the Agile stage, organizations will have the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across their vendor relationships, under a single governance framework. To learn more about the stages of development in a vendor risk management program, explore Aravo’s Maturity Calculator.
Where are emerging risks hidden in your vendor management program?
The elements of a good program – including vendor due diligence and vendor risk monitoring –should enable an organization to detect and manage emerging risks as they evolve. The International Risk Governance Council (IRGC) defines emerging risks as “new risks or familiar risks that become apparent in new or unfamiliar conditions.” COVID-19 presented ‘new and unfamiliar’ conditions for all businesses across the globe, meaning emerging risks are an increased threat to many organizations:
• Information security and cybersecurity risk – This is a familiar risk that programs should be monitoring that has been exacerbated under COVID-19. With much of the world’s workforce having to transition to work-from-home conditions as lock-downs were enforced, the controls organizations had for third-parties’ information security and data privacy risk assessments could well be void in the new remote working conditions. Organizations need to make sure that the risk assessments and due diligence they apply to the third parties they work with are revised to take this into account. Organizations should ask what extra steps third parties are taking to managing cyber risk in remote working conditions. Companies should also ask their third parties on how cyber risk and information security training is being conducted for their employees.
• Data privacycompliance risk – There’s a growing inventory of data privacy laws that organizations, and any third-parties that touch their PII data, need to be compliant with. As these regulations come into effect, the additional risk of non-compliance can emerge. Organizations need to understand what regulations impact them and ensure their policies and processes reflect emerging requirements. They also need to understand if their vendors are also in compliance with data privacy laws such as the GDPR, CCPA, New York SHIELD Act, etc. Does the vendor have in place the policies and processes to meet existing regulatory requirements and industry standards that the organization must adhere to? How robust is that compliance? What controls are in place, and what is the remediation process if an event, such as a breach, occurs?
• Financial risk – According to RapidRatings research, corporate financial health was declining even before the pandemic hit, and the expectation is that Covid-19 is going to have a significant negative impact on the financial health of many organizations. Now, more than ever before, it important for organizations to understand the financial health of their third parties – especially their critical providers. A danger is that those organizations that are struggling financially may start to cut back on compliance and security-related costs – putting your business at increased risk.
• Operational resilience and supply chain resilience – An increased focus for both regulators and organizations, operational resilience and supply chain resilience programs should ensure that a business service can recover from a negative event, minimizing the impact on customers and the industry as a whole. What is the operational resilience of a vendor like? What plans does an organization have in place should a vendor suddenly not be able to meet the terms of its contract?
Who is responsible for vendor risk management?
Everyone is responsible for vendor risk management, from those individuals who work day-to-day with the vendor and directly manage the vendor relationship, to those in compliance, risk and audit, all the way up to senior management and the board. Aravo’s Meeting Expectations Of The Board eBook explores the important role that this governance body plays in setting the strategic direction for the vendor risk management program, as well as monitoring its ongoing effectiveness.
Having board support for the vendor risk management program is crucial, and today more boards are recognizing the strategic importance of actively managing the risks within vendor relationships. Robust vendor relationships can enable an organization to be more agile, but boards are also recognizing that unmanaged risks in a relationship can significantly destabilize both the vendor and the organization, potentially leading to poor financial performance and loss of competitive standing. Robust tone-from-the-top, when delivered with a strong vendor management program, can help the entire organization work together to achieve its goals.
When should you consider evaluating vendor risk management software?
Vendor risk management software makes sense when an organization reaches the point in its evolution where it would benefit from automating the vendor risk management lifecycle, starting with vendor onboarding and vendor due diligence. A software solution should also support ongoing vendor monitoring and the vendor performance management process, as well as potential vendor offboarding. Automation through software will help vendor risk management programs at the Ad-hoc and Fragmented maturity levels increase their efficiency as well as their ability to deliver business value.
These 5 “W’s” can be a useful way to frame conversations with stakeholders such as the business, senior management, and the board, particularly when organizations are at the early stages of development for their vendor risk management program. To learn more about where your organization sits in terms of vendor risk management maturity, read our white paper or visit our Maturity Calculator.