We don’t really know what all the fuss is about. After all, the process of assessing your third parties isn’t that difficult, is it? Determine vendors to assess. Design questionnaire to assess vendor. Send questionnaire to vendor. Receive questionnaire back from vendor. Ask vendor for more information. And more information. Wait. Wait some more. Get answers back from vendor. Populate spreadsheet. Upload to SharePoint. Tell vendor where they’re short on controls and need remediations. Perform some validation stuff. Report on said controls. Repeat for the next <insert number here> vendors. Then do it all again next year. For all of them. Easy, peasy, lemon squeezy, right?
Wrong. Very, very wrong. Couldn’t be any “wronger” in fact.
The last few years have brought significant change to the otherwise soul-crushing practice of third-party risk management. Growing standards to aid in reporting; more automation to reduce the burden of assessing your vendor ecosystem; and increasing numbers of professional services practices all point to relief on the horizon for over-burdened risk management teams.
So, with the current state of third-party risk management in mind, here’s a look at the coming year in the eyes of our team of experts: Brad Hibbert, COO & CSO; Alastair Parr, Sr. VP of Global Products & Delivery, and Brenda Ferraro, VP of Third-Party Risk.
Although it’s clear that vendor risk is a key discipline that must be embraced, risk managers continue to struggle to gain the visibility, support and required investment to implement a strategic, enterprise-wide program. As a result, a recognized lack of consistency and urgency continues to exist in how vendors are being managed and monitored across the extended enterprise. As a result, the management of risk and efficacy of the program is severely limited.
Even in cases where vendor risk has appropriate visibility supported by a clear business or compliance driver, common tasks from getting an accurate source of vendor profiles and contact information internally, to soliciting assessment responses, to demonstrating program value to executives, all continue to challenge program success. As organizations continue to feel the sting of vendor failings, we see them thinking more strategically about their vendor management programs.
Vendor intelligence tends to be scattered and hidden across the silos of various sourcing, supplier, contract, operational, risk and security tools. As organizations continue to rely more heavily on products and services delivered by third parties, we see the role of Vendor Managers and Vendor Management Offices expanding beyond the traditional technical and compliance lens to include a more comprehensive viewpoint that spans strategic, financial, legal, sustainability and operational risk. While Vendor Managers and Risk Managers may not be responsible for remediating identified risks, they will be responsible for collating, quantifying, prioritizing and communicating these risks to the responsible internal parties.
To support this more strategic viewpoint of vendor risk, we see an evolution of vendor risk management products maturing to support broader programs with advances in feature sets and in tighter integration with internal systems and departments. We have already seen an increased frequency of client requests for integration into ITSM and GRC solutions. We expect these integration requests to continue and expand to include other internal business and risk management systems.
We see the mindset moving beyond the dreaded compliance requirement that is often bypassed, into a strategic and enabling program that has the support and visibility at the executive and board levels. While this evolution is exciting and expands the value of the program across the various departments that rely on and support the vendor relationship (e.g., legal, procurement, IT), we believe the primary use case and business justification in 2020 will continue to be to proactively address compliance controls; to address one or more audit findings; or to respond to a security incident or data breach.
One of the core – and sometimes daunting – requirements of a vendor management program is the process of assessing the vendor using a control-based questionnaire. Typically, this survey process is initiated as vendors are on-boarded and then set on a pre-defined interval based on vendor criticality and/or exposure with the majority being scheduled on an annual basis. However, in today’s dynamic and interconnected business environments, risk information that is 12 months old is beyond stale.
This restricted and dated vendor information has many organizations questioning relevance of vendor risk analysis and its value in related decision making. For example, if a vendor has implemented new processes or technology to address specific control areas, an organization should not need to wait until the next annual reassessment to gain visibility into these investments. Organizations are looking to move away from “point-in-time” assessments towards a more continuous evaluation methodology. Organizations are working in dynamic environments where competitors, security, compliance, and other factors can change rapidly. To remain effective, TPRM programs must be able to adjust.
As organizations look to scale their vendor programs, increase the frequency of updates, and expand the scope of risk visibility all in an effort to improve program value, they also struggle with analyzing, prioritizing and responding to the increasing volume of information. Which vendors should I focus on? What risk elements should I care about? Which remediation will have the greatest overall impact of improving security and compliance posture? To increase program capacity and effectiveness, organizations must begin to embrace advanced analytics to provide additional insights and automate processes such as identifying outliers, creating automated findings, recommending remediations, and triggering automations and workflows.
Security ratings services are an important input to provide visibility into where a company’s public-facing exploitable risks might be, but customers have come to the realization that external scanning only tells half the third-party risk story. What has resulted from this evolution is that the SRS tools vendors are all forced to compare their speeds and feeds – who has the best dark web scanning, who includes the most inputs, etc. – which tells us that the current SRS market will continue to commoditize. What you will see in the next 12 months is less focus on the threat feeds (they are all getting pretty good) and more focus on integrating the provided intelligence into a broader risk management process that includes additional context, quantification, prioritization and remediation capabilities.
What are your thoughts on the coming year in third-party risk? We’d like to get your feedback! And stay tuned for next week’s part two of our take on the coming year in TPRM.