Does anyone remember the days of locked file drawers? Companies would retrieve needed information, use it, then return it to a safe place. There was no internet, no online access, locks were our state-of-the-art security measures, and breaches were investigated by finding out just whose desk the errant file was on. Today, we live in far different times. Data has migrated from file folders to retrievable databases, no longer on discrete servers, but in the amorphous cloud.
Just as data has migrated, so have many functions. With increasing size and complexity, many companies have moved a portion of their daily operations from in-house employees to outside vendors. Even those vendors have vendors, making the task of vendor risk management increasingly difficult. In fact, according to this CSO article, a study found the average company’s network is accessed by 89 vendors every week. Two thirds of companies polled in the study weren’t confident they even knew how many vendors had access to their sensitive data. One thing we do know: the number of those outside vendors is only going to rise. Three-quarters of those same companies noted they were using more vendors than they had in the two previous years and 71 percent projected increased reliance on vendor support.
While companies can outsource operations, one thing they can’t outsource is vendor risk management. Consider recent examples of vendor-created breaches and the staggering fines that resulted – Target, AT&T, and Home Depot, just to name a few. Some estimates place the percentage of vendor-related data compromise at over 60%, and those are just the ones that have been reported. Surprisingly, many companies place their trust in their vendor’s processes, while developing organic vendor risk management capability rarely makes it to the top of a company’s expenditure priority list. By failing to take control of the company’s potential exposure to vendor related regulatory and legal violations, data and systems breaches, not to mention reputation damage, companies are risking their core operations, not just a vendor relationship or function.
As with everything in business, “trust but verify” is a necessary approach in managing vendor risk. To pave the road for a reliable and verifiable vendor risk management program, start with prioritizing these basic steps:
Establish ownership and centralize
Vendor risk management needs to be part of a holistic risk mitigation strategy which means it’s centrally managed and controlled. While overall management should be centralized, buy-in of risk awareness and best practices needs to be cross-functional and owned by all departments. To effectively accomplish that outcome, leadership should have and convey a clear vendor risk management picture and road map.
Know where you are
Before you implement a vendor risk management program, perform a high-level assessment of your existing risk mitigation measures, mapping any gaps or deficiencies against your industry and company needs. Drill down to the individual vendor and evaluate that relationship against your risk exposure tolerance.
Know where you want to go
Once you’ve established where you’re starting from, determine your desired end state and map a course to get you there including the capabilities, resources and costs you will need to execute. Think integrated, replicable, and ongoing risk management. Know how to plan and respond to emerging threats.
- The best vendor risk management programs are seamlessly integrated into a data-driven, automated processes. You’ll need to consider your technology platforms, data management configuration, and needed modifications to integrate your vendor risk management activities.
Assess, Assess, Assess
Do more than an initial assessment of a vendor’s risk management practices. Develop a plan of periodic assessments and regular monitoring of your vendor’s operations to highlight any deficiencies or gaps. Determine your own risk tolerance in regard to your vendors, and don’t hesitate to end a vendor relationship if their risk management practices fall short of your requirements.
We hope you are part of the one-third of companies who DO know the extent of your vendor risk exposure. The next step is developing and implementing a centralized, well integrated, and ongoing vendor risk management program.