The new order of things in Vendor Risk Management
The struggle with centralized vendor management has always been staffing. By consolidating the required review steps and practices, an organization could control the program, and present to any auditor or regulator the discipline and authority exercised in managing vendor documentation. But it required a lot of manpower if domiciled in the hands of the few.
Now that we are in the midst of a ‘black swan’ event, managing documentation is trivial, as compared to having engagement and line of sight to the providers who enable your business to function on a weekly, daily and maybe even hourly basis. We now need the many to be engaged and empowered.
There is definition of first-line and second-line of defense in risk models. Vendor management cannot possibly accept and take on both defense roles simultaneously. The definitional first line of defense, the business owners who actually know and are responsible for the business model, must be engaged. It is likely now apparent that your business may depend on it.
A new focus
A new focus has emerged. Is there adequate staffing available for my vendor to operate and provide services to our company? How does the changed staff residency and connectivity of the vendor’s operations alter the information security risk exposure? How do we need to redefine essential services? Do contracts need revisions? Do we have adequate SLAs and options to exit (as defined for Financial Institutions within the FFIEC Examination Handbook Appendix J over five years ago)?
How do policies and procedures need to change with the vendor and within our organization to accept a changing risk tolerance? Is anyone concerned over vendor concentration risk now that there are country-wide lockdowns and viral hotspots? How is cybersecurity exposure and vendor resiliency being monitored and validated?
These are the questions that need to be answered, versus simply does your vendor have an audit bridge letter for last year’s SOC report. Business owners now have more skin in the game. And vendor management organizations need to concede and ensure delegated responsibility for this critical business process to business owners; no longer defining themselves alone as centrally positioned to placate regulatory requirements. Third-party risk is real – and is no longer a hobby.