As the old saying goes, “You gotta hope for the best, and plan for the worst”. Whether you’re just starting your business venture or have been operating for decades, this axiom holds true from day one. Potential disasters can exist around every corner, and it’s important to be able to project what those could be and how you would handle them.
In fact, it’s how we approach everyday life. If you have an appointment to get to, you don’t want to be late. Let’s say you don’t drive, so you must rely on a third-party service to get you there, a bus, taxi or ride-sharing service. You’re putting your trust in another entity’s ability to get you there on time, but you’ve been doing this long enough to know that stuff happens, and you come up with a backup plan, just in case.
Vendor Risk Management (VRM) can and should be just as focused on mitigating potential issues in maintaining good Governance, Risk Management and Compliance (GRC). In today’s changing landscape of digital transformation, one generally doesn’t spend exorbitant resources on re-inventing the wheel. If a third-party has already come up with an excellent solution integral to your business, using it will get you out of the gate more quickly and save you money.
Understanding the breadth of risks that comes along with pulling in vendors is the key. For example, Cyber risk permeates this digital theatre, owing to a continued increase in the adoption of data privacy regulations around the world. A careful review of your third-party vendors can illuminate risks beyond their own domain, to their vendors, and their vendors and so forth – possibly leading to a need to consider even fourth- or fifth-party vendor risk. What are some of the basic steps you can take to manage these risks?
Identify all third-party vendors and their contact information.
Maintain a record of every vendor you bring on board, including their contact information, terms of service and other relevant details. If your company has been around for years, you may have this information recorded already, but is it complete? Are the contact details accurate and up-to-date? Do your records accurately represent all of the vendors currently associated with your company?
Gather information about the vendor’s own risk management.
Your third-party vendor is a business as well, selling you a solution that meets your needs. If they’ve been responsible and maintain their own VRM process, you need to communicate with them to determine what steps they take to mitigate a potentially damaging outcome due to a failure of their product. Having this information empowers you to build your own plan to address the impact of such a failure.
Evaluate the risk associated with third, fourth and Nth-party vendor solutions.
As noted earlier, you’re usually working with a third-party because they already provide a solution that meets your needs without having to create your own, and oftentimes that vendor may work with external vendors or suppliers to meet their own needs. Even if you have fully vetted your third-party vendor, can you be sure that the fourth-party vendor is fully vetted as well? Unfortunately, when third and fourth parties are introduced, your organization’s responsibility is not pushed down to the vendors.
Plan how you can mitigate the potential damage as a result of a failure of your Nth-party vendor.
Now that you have plenty of information about your vendor and their own VRM process, you can build a plan to protect your company in a worst-case scenario. In fact, you will want to plan for any level of impact, not just a doomsday scenario. Is this a situation wherein a problem arises that has a low impact on a daily business?
Perhaps it has merely created a bug that’s more of a nuisance than an all-out failure. In the world of instant news via the likes of Twitter and other social media channels, though, a seemingly minor issue can balloon into a public relations nightmare. Planning ahead with steps to mitigate issues on many levels will give you the confidence to address these issues quickly and efficiently.
Plan out your VRM program before selecting a tool.
An optimal VRM program will look different for each organization, it’s important to figure out what success looks like for your organization. As a rule, medium-sized and large organizations will want to stay away from manual processes. Do away with spreadsheets, as they aren’t manageable or scalable. You will want to assess your vendors on a continuous basis, adhering to internal or regulatory changes. If you don’t know what the program should look like, start with a strategizing session to lay out an initial roadmap.
Celebrate the small wins.
Implementing a VRM program can be a massive overhaul. Don’t try to implement the entire program in one go. Instead, prioritize which vendors to assess first, then identify small, achievable milestones that can be accomplished relatively quickly (1-2 weeks). Quick wins will help get buy-in to the program and improve user adoption.
Rinse and repeat.
The final level of managing your third-party risk is to continue doing just that. This is not a set-it-and-forget-it practice. Not only do you need to keep on top of your “tier one” vendors’ risk assessments, but you will also want to continue to drill down to other tiers.
Changes in policy and regulations, both internally and externally, may also affect the level of risk that you’ve already set for a vendor, and it could change your approach to mitigating the outcome. Once you’ve implemented a VRM program and have seen what’s working, you can fill in the gaps and continue to optimize your program.
NewRocket offers services and solutions that can help you streamline this process and stay on top of the changing landscape of Vendor Risk Management. Step away from the spreadsheet. We provide services that make assessing risk and establishing plans and procedures simple, painless and easy to follow through. We also offer workshops that can set you on the right path to building a solid third-party risk plan that integrates with your overall GRC or IRM strategy. Contact us today to find out more.