As data breaches and privacy violations are increasingly traced back to vendors, suppliers and other third parties, most organizations are looking to either launch vendor risk management (VRM) programs or mature their existing programs. Over the past 15 years working with hundreds of organizations, we've found that VRM programs are usually driven by one of three objectives. In this post, we'll break out these drivers and discuss the motivations for each.
Automation-centric VRM programs usually start as a reaction to a personal pain, such as a heavy workload or too much complexity.
These programs tend to be championed by an individual, often in procurement, looking to expedite vendor onboarding and due diligence. Spreadsheet-based vendor assessments are often cited as a pain, with back-and-forth emails, version control issues, and inconsistent processes creating headaches for everyone involved.
Automation-driven vulnerability risk management initiatives tend to be more of a project than a program. As such, they lack the oversight of more mature programs tied to governance, risk and compliance (GRC) efforts.
Organizations with automation-driven VRM objectives are usually characterized by:
There’s nothing wrong with starting your vendor risk management program here. In fact, many successful VRM programs begin by eliminating the manual processes that can miss security control gaps and increase the risk of data breaches.
Moving up the maturity scale, compliance-driven programs arise from the need to address one or more regulatory requirements.
When you work with third-party vendors to handle and process data, it doesn't mean that your organization is no longer accountable for security risks to that data. That's why several government regulations and industry frameworks mandate third-party risk management practices. Here are some examples:
This is the point at which organizations realize they need a program, not a project. Only an ongoing, structured program can both proactively manage third-party risk and produce the required documentation for both external and internal audits.
Organizational characteristics that drive this type of program include:
Many regulations and frameworks require external, continuous risk monitoring in addition to periodic vendor risk assessments. See the table on our compliance capabilities page to learn more about specific requirements for assessments and/or monitoring. For simplicity, Prevalent offers the Prevalent Compliance Framework (PCF) questionnaire that enables you to map the answers to any number of regulatory or control frameworks, which greatly simplifies the compliance reporting process.
The most mature VRM programs are driven from the top-down by strategic risk management programs, with compliance being a natural byproduct of these initiatives.
Organizations with risk-driven VRM programs tend to have a good grasp of who is in their vendor ecosystem and can usually quantify their risk to some extent. They intertwine vendor risk management frameworks with broader GRC/IRM programs, and they often secure the services of one of the Big 5 audit firms for outsourcing or program management. However, these organizations often still wrestle with manual processes, limited analysis capabilities, and silos that can hamper risk-based decision-making.
Typical characteristics of risk-driven VRM programs include:
Truly risk-driven vendor risk management programs are rare outside of large, highly regulated organizations with sufficient resources, vision and scale. These programs usually achieve optimal levels of VRM maturity with a hybrid solution comprised of a unified, automated third-party risk management platform backed by assessment services and professional services.
Organizations at this level often go beyond core assessment and monitoring, leveraging their TPRM solutions to handle vendor performance management, address data privacy challenges, and conduct internal risk assessments
Shella Gentry, information security analyst, discusses Blue Cross and Blue Shield of Kansas City's vendor risk management program.
The path to VRM program maturity is not easy. However, by investing in the right people, processes and technology, you can increase productivity, strengthen vendor relationships, and ensure business continuity for your organization.