Prevalent Teams with Aileen Griffith, Former Official of the Federal Reserve Bank of NY, to Outline Four Key Steps in Operationalizing the “Three M’s of Vendor Risk”
Warren, New Jersey – May 20, 2015 – Vendor risk and cyber threat intelligence innovator Prevalent is advocating four best practices to help banks and financial services organizations properly manage vendor risk. The key findings were derived from a recent Prevalent webinar with Aileen Griffith, a former official with the Federal Reserve Bank of New York, who oversaw the implementation of the Bank’s first enterprise vendor risk management program, and include:
- Risk Identification and Assessment: Organizations need to develop a risk-based approach for conducting vendor management activities, including due diligence during the procurement process through review of the vendor’s credit, technology, data privacy, integrity, conflicts of interest, general risk management and certificates of insurance. Segment these efforts by the critical nature and complexity of the service provided; financial commitment; criticality of information and knowledge being shared; and, creditworthiness.
- Risk Management: To determine the scope of frequency of efforts to mitigate and monitor risk, organizations need to look at five risk areas – strategic, reputational, compliance, operational and financial – and assign a risk level to each vendor. Once completed, define key roles and responsibilities and include performance reviews, billing and invoicing, and on-site reviews, as well as incident or risk event reporting in the review process. Performance scorecards, vendor dashboards and satisfaction surveys are also important components to risk management.
- Risk Mitigation: Eliminating and reducing risk throughout the vendor lifecycle from the contracting phase to pre-engagement, to active engagement and finally the post engagement phase is a must. Identify common components of risk mitigation including right to audit, performance metrics, incentives and penalties, information security, testing, indemnification and termination. Determine testing processes, how to structure controls that can detect and prevent risk incidents. Finally, at the end of the vendor engagement, organizations must confirm the return or removal of data from the vendor’s systems.
- Risk Monitoring: Active management and the effective mitigation of risk help to facilitate monitoring activities for organizations. Monitoring risk involves including vendor-related activities in routine enterprise resource management efforts; conducting scheduled due diligence efforts and vendor assessments; performing compliance reviews; periodically reviewing relevant compliance and disclosure statements; and, discussing the results of external audits and other reviews, if applicable.
During “The Three M’s of Vendor Risk: Management, Mitigation and Monitoring” webinar Griffith explained how the environment surrounding data security is changing. “An increasing number or organizations are finding their data at risk due to weaknesses in the security at third, and in some cases fourth-party organizations, that have been entrusted with sensitive information,” she said.
Also affecting the way organizations approach vendor risk management are changes in regulatory oversight across the banking, financial services, healthcare and payment card industries. “Organizations must engage in high-level discussions surrounding vendor risk and establish frameworks for effectively managing, monitoring and mitigating risk, and these established best practices that can help them in these efforts,” continued Griffith.
As a leader in third party and vendor risk management, Prevalent’s CEO Jonathan Dambrot added, “By adopting these four best practices organization will have a better understanding of their operations, and the impact that third-party vendors are having on the risk and reputation of the business. They will also gain greater accountability and responsibility within their organizations, and implement processes that promote better communication and decision-making around the use of third- and fourth-party vendors.”
Access to the complimentary webinar, “Three M’s of Vendor Risk: Management Mitigation and Monitoring,” is available for download here.
Prevalent is a vendor risk management and cyber threat intelligence analytics innovator with a reputation for developing cutting-edge technologies and highly-automated services that are proven to help organizations reduce, manage and monitor the security threats and risks associated with third-party vendors. www.prevalent.net.
# # #