The Key to Building an Effective Vendor Risk Management Program

The Key to Building an Effective Vendor Risk Management Program

The Key to Building an Effective Vendor Risk Management Program
 The Key to Building an Effective Vendor Risk Management Program 
Ignore this rule and your vendor risk management program will fail, guaranteed. For more information about TPRM, please refer to the Beginner's Guide to Vendor, Supplier and Third-Party Risk Management.
Having worked in various capacities in the vendor risk management (VRM) space, I have learned that there exists one golden rule that must be remembered and followed when implementing and maintaining a vendor risk management program. Break this rule and you will always have chaos and disorder when managing the risks associated with your vendors or third-parties. A Vice President (VP) of Vendor Risk Management shared this golden rule with me when I served as her de-facto vendor risk manager. 
Download Also:
During her tenure, the VP hired me to lead the vendor risk assessment process for the organization. We normally met once a week to discuss the progress of the vendor risk management program. During one of our meetings, she shared with the team her golden rule for vendor risk management. It was after our weekly meetings with her that I left the office to reflect on her golden rule as I was intrigued by her insight. After ten minutes of contemplation, I realized that her rule hit at the heart of vendor risk management. 

Risk assessments are at the heart of a vendor risk management program. Effective vendor risk management programs should enable organizations to properly identify, analyze, assess, mitigate and monitor vendor or third-party risks. Failure to do so will result in a weak vendor risk assessment process that hinders organizations from maximizing the benefits of utilizing vendors or third-parties while minimizing the risks associated with them.

Step 1: Identifying the risks  

One cannot control something that one does not understand. Organizations need to understand the risks associated with their vendors or third-parties in order to maximize the benefits of utilizing them and to minimize the risks. 

Understanding the risks associated with vendors or third-parties requires that organizations first identify them. To accomplish this goal, an organization should leverage a tool that enables them to identify the risks "inherent" to the type of products/services provided by the vendor or third-party. Many organizations with a manual vendor risk assessment process build a risk identification tool utilizing Excel or SharePoint whereas other organizations use the features of their automated vendor risk management solution. 
Regardless of whether the process is manual or automated, the organization should utilize a risk identification tool to capture specific information about the vendor or third-party and the products/services they provide. Once all of the relevant information is captured in the risk identification tool, the tool should produce an inherent risk score which correlates to the level of risk associated with utilizing the vendor or third-party. The level the risk should indicate how critical the vendor's product/services are to the organization. 
In addition to indicating criticality, The inherent risk score should also indicate whether a vendor risk assessment is needed and the type of risk assessments required to assess the maturity of the vendor's or third-party's controls. By using the inherent risk score to indicate whether due diligence is required and the level of due diligence, organizations ensure that their vendor risk assessment process follows a risk-based approach. As a general rule, the more critical the products/services are to the organization, the more due diligence that is required.

For a list of questions asked in an inherent risk identification tool, please refer to the Sample Risk Identification Tool Questionnaire .

Step 2: Analyzing the risks  

Analyzing the risks requires that organizations engage the right subject-matter experts to perform the risk assessments. 

Once the inherent risk score is calculated and the level of due diligence is determined, the subject-matter experts for each risk assessment area should provide their opinion on the results of the risk identification tool. Although the risk identification tool helps to identify the inherent risks, the subject-matter experts should review the results of the tool as they will conduct the risk assessments for their respective risk areas. 
Engaging them prior to sending the applicable vendor or third-party risk assessments ensures that a risk-based approach is taken when conducting the risk assessment as they may decide that only certain aspects of their respective risk questionnaires are relevant to the vendor or third-party. Once the subject-matter experts confirm the inherent risks identified by the risk identification tool, the applicable risk questionnaires with a specific document request list should be sent to the vendor or third-party. 
The vendor or third-party should provide their responses within a specific time frame along with their supporting documentation to validate their responses. For a list of the different types of risk assessments, please refer to the Sample Risk Classification Scheme and Assessment Type document.

Step 3: Assessing the risks  

Assessing the risks means determining its significance to the organization. In other words, how do the vendor's or third-party's controls, processes and procedures impact your organization?
Once the vendor or third-party completes and returns the risk questionnaire(s) along with the supporting documentation, the vendor risk management function should send the risk questionnaire(s) and documentation to the applicable subject-matter experts to review. Depending on the level of criticality involved, the vendor risk management team may decide that the vendor or third-party also undergo an onsite assessment to further validate the vendor's or third-party's responses to the risk questionnaire. When the subject-matter expert completes their assessment, they should provide a risk report to the vendor risk management functions that includes the following information:

-The risks found during the assessment (risk findings)  
-The impact of the risk findings to the business  
-Any recommendations on how the vendor or third-party can mitigate the risk

Within their respective risk reports, the subject-matter experts should also assign risk scores that describes the overall maturity and effectiveness of the controls in place for their respective risk areas. All subject-matter experts should utilize the same risk score scheme (i.e. High, Medium or Low) to ensure consistency.
Once the subject-matter experts have provided their risk reports with their risk scores to the vendor risk management function, the vendor risk management function should create a Risk Summary Report that includes the results of all the assessments performed by the applicable subject-matter experts and the Risk Mitigation Plan. The Risk Mitigation Plan should include the following information below.

-The risk findings  
-The risk classification (i.e. information security, financial, reputation, business continuity, disaster recovery, etc...)  
-The risk score for each risk finding (i.e. High, Medium or Low)  
-Any recommendations to mitigate the risk findings. The completed Risk Summary Report should be provided to the owners of the vendor or third-party relationship as well as to the vendor or third-party.

Step 4: Mitigating the risks  

Mitigating the risks means creating and implementing a plan to minimize their potential to negatively impact the organization.
Once the risks are communicated to the business and the vendor via the Risk Summary Report, the vendor or third-party should complete their portion of the Risk Mitigation Plan. The vendor should respond stating whether they can remediate the risk findings, how and when they plan to remediate them.

If the vendor has already remediated specific risk findings, the vendor should specify in the Risk Mitigation Plan whether the risk has been remediated and when it was remediated. They should also provide sufficient evidence as proof of remediation. Once the vendor or third-party completes the Risk Mitigation Plan and sends it back, it should be approved by at least the vendor or third-party relationship owner and the vendor risk manager.

There exist circumstances where the vendor or third-party cannot remediate specific risk findings for a multitude of reasons. For example, the vendor or third-party may decide that it is not cost-effective or beneficial to remediate certain risks if the majority of their clients do not hold them to the same requirements as your organization. In the event that the vendor or third-party cannot mitigate specific risk findings, the vendor or third-party relationship owners should determine if they are willing to accept the risks via a risk acceptance process. 
The risk acceptance process should include analyzing and documenting the financial and operational impact of the accepted risk(s) to the organization. The risk acceptance process should also include gaining approval from the appropriate parties such as the executive that oversees the vendor or third-party relationship, enterprise and/or operational risk, the executive head of the VRM program and the executive that oversees the department that identified the risk findings (i.e information security, business continuity, etc...).

Step 5: Monitoring the risks  

Monitoring vendor and third-party risks enables organizations to understand key trends in their vendor or third-party risk program. 

The risk monitoring process is one of the most important aspects of the vendor risk management function as it allows them to track and monitor vendor and third-party risks. To implement and maintain the risk monitoring process, the vendor risk management function should utilize the information from the Risk Summary Report and the Risk Mitigation Plan to build a Risk Monitoring Database. The Risk Monitoring Database should include all of the information from the Risk Mitigation Plan. 
In addition to the information from the Risk Mitigation Plan, the Risk Monitoring Database should also indicate whether the risk findings were accepted, remediated or are pending remediation with any respective dates. By implementing a Risk Monitoring Database, the organization can capture important data to create key reports for senior management and governance committees that answer critical questions such as the ones below.

- What are the risk findings and which ones pose the highest risk to the firm? In other words, what are the most critical risks to the organization?  
-For all risk classifications, which ones have been remediated versus accepted?  -How many risk findings are pending remediation or acceptance?  
-Is the organization trending more towards remediation versus acceptance or vice versa?  
-Are vendors remediating critical risks within an acceptable time frame as required by the organization?  
-What is the potential impact of the risk findings, especially the critical risk findings, to the organization?

For organizations that utilize an automated vendor risk management solution, the tool should have in-built features to monitor and track risk findings. Organizations that have access to tools such as Microsoft Access or Excel, both applications allow organizations to build a Risk Monitoring Database and perform data analytics for reporting purposes. 
Ultimately, implementing and maintaining the Risk Monitoring Database allows organizations to identify and to understand positive and negative trends related to their vendor risk management program. As a result, they have the information necessary to make key decisions that impact their program.

Overall, effective vendor risk management programs allow organizations to take a proactive approach to controlling the risks associated with their outsourced relationships. Despite the advantages of outsourcing, organizations must take steps to ensure that an adequate vendor risk assessment process exists to manage those risks or they cannot successfully maximize the value of outsourcing. 
Related Topics:
By remembering that vendor risk assessments are at the heart of vendor risk management, organizations ensure that the products/services provided by their vendors or third-parties align with their strategic objectives for long-term growth and sustainability.

                                                   Catherine Tibaaga
I am a Risk Management professional who has over seven years of experience working for global firms such as Jones Lang LaSalle, E*TRADE Financial, JPMorgan Chase & Co. and Freddie Mac. I have worked in a variety of roles in third-party risk management, procurement and accounting. To provide value to organizations, I conduct and lead risk assessment activities for corporations that seek to outsource their activities to third-party suppliers. 
I also help companies build their vendor, operational, and enterprise risk management programs. Using my expertise in building risk management programs, I work with organizations to ensure that their vendor risk management programs align and comply with regulations (i.e. OCC 2013-29, GLBA and Privacy laws) and industry standards (i.e. ISO 27000 family of standards, PCI and NIST standards). 
My core expertise includes: 
Risk Management: Third-Party Risk, Operational Risk, Enterprise Risk RiskTools: Hiperos, MetricStream, Archer, Agiliance Regulations: OCC, GLBA and Privacy Laws, FRB, FDIC Industry Standards: ISO 31000, ISO 27001, ISO 27002, PCI Compliance, NIST Standards (800-14, 800-37, 800-52), COSO Framework.

Post a Comment

Previous Post Next Post