In our last post we discussed the importance of implementing a vendor risk management program and why you should have a dedicated vendor risk management program in place. This time we’ll examine what that system looks like when it’s in place and the benefits of a vendor risk management program once it’s implemented.
THE PLANNING PHASE
Before you implement a vendor risk system, the following key elements should be in place:
One of the main problems we discussed, and the reason why a vendor risk management program is necessary in the first place, is the lack of communication across an organization and the subsequent lack of accountability and expectations regarding outsourced vendors from one department to the next. Therefore it is imperative that all key roles and responsibilities in a risk management program are documented and approved throughout the organization. You must establish an organization-wide policy that details the roles and responsibilities of all concerned stakeholders.
The next stage in implementing your risk management system is to identify and classify all third-party vendors. It is imperative that you compile a complete vendor database with a classification system based on the services provided by the vendors. The risk criteria for this classification system should take into consideration the nature of the information shared with the vendor as well as the nature of the operations performed by the vendor. Whatever the classification criteria, it needs to be approved by the entire outsourcing organization.
In addition to assigning roles and responsibilities and vendor classification, the methodology in which vendors are audited should be finalized in the planning phase. Vendors classified as “high-risk” should be audited at least bi-annually with an on-site visit by the outsourcing organization to assess security at the vendor premises. A vendor classified as “medium-risk” should be audited at least once a year and “low-“risk vendors can do self assessments to conserve resources. In addition, customized checklists should be used during audits to assess vendor security. Most importantly, audits should be used not only to evaluate and update risk but to update information for ongoing security.
BENEFITS OF VENDOR RISK MANAGEMENT
A centralized vendor risk management system should provide the obvious benefit of cost efficiency. The use of technology and the implementation of a classification system based on risk should streamline the process of analytics. In addition, when there is an organization wide approach to vendor risk management, there is greater transparency and ideally, more fiscal accountability.
ONGOING RISK MANAGEMENT
Risk management is not just a one-time approach to security and should not be limited to periodic audits. True risk management exists through the life-cycle of the relationship between the outsourcing organization and the vendor. That means increased vigilance and tighter controls over vendors that pose significant risk. In addition, a program will already be in place to accommodate updates in regulatory requirements and policies.
An organization that implements a comprehensive vendor risk management also realizes greater benefits from scorecards that result from streamlined and standardized processes for ongoing monitoring and oversight. In addition, the continuity of a risk management system allows an organization to use standardized KPIs as well as uniform key risk indicators.
Once you implement a vendor risk management system, any resources previously dedicated to the management of vendor risk can now be refocused based on identified organizational priorities. When a vendor risk management program is successfully established, it allows an organization the flexibility to quickly undertake new initiatives when opportunities arise.