Vendor risk management (VRM) is a big problem. Vendors are cybercriminals’ favorite avenue of attack. 61% of the U.S. organizations experienced data breaches caused by third-party vendors. And these breaches can damage a company’s reputation and stock price.
By Mike Kelly, CEO of ProcessBolt, and Gaurav Gaur, CTO and Co-founder of ProcessBolt
According to a survey conducted by Deloitte, only 1% of firms rate their VRM process as “optimized” and fully up to the task of reducing vendor risk.
So, what is the path to optimizing such an important business process?
An important first effort is standardization — creating uniform methods for completing VRM tasks. Then these standard methods are automated by integrating them into VRM software. This saves time, enabling the information security team to identify and remediate vendor risks.
But over-use of standardization can hinder VRM optimization. This is where customization plays a critical role.
VRM customization accommodates higher complexity. It allows companies to support process variations that increase complexity but reduce vendor risk exposure.
Does your VRM software facilitate customization?
If not, you have a substantial VRM optimization opportunity.
Standardization
The path to VRM optimization begins with identifying repetitive manual tasks that can be standardized. Standardization emphasizes simplicity and efficiency. There are hundreds of specific VRM tasks that can be streamlined.
Cloud-based survey capability is a great example of a VRM process to simplify. Spreadsheet uploading errors, such as duplications or missing data, are greatly reduced. This leads to improved decision-making and vast savings in administrative time and effort.
Customization
As companies strive to automate, they can err on the side of too much standardization. They eliminate important nuances and complexities which sub-optimizes VRM effectiveness.
Customization lets you take the best parts of standardized formats like NIST (National Institute of Standards and Technology) or a SIG questionnaire (Standardized Information Gathering) but you then add other important questions. For example, maybe you should ask questions about regulatory compliance that are unique to your industry or your firm. Maybe you need GDPR-related (General Data Protection Regulation) questions if you do business in Europe. Other questions may be needed to explore CCPA compliance (California Consumer Privacy Act). Or, companies increasingly have ESG (Environment, Social, and Governance) issues that call for very specific compliance questions.
The solution is to strike the right balance between standardization and customization:
- Standardize task variations that do not affect VRM effectiveness.
- Customize your software solution to accommodate task variations that improve VRM effectiveness.
Striking the Right Balance
The VRM process can be summarized as flowing through five steps. Each affords opportunities to improve efficiency through standardization and effectiveness through customization. Here’s an abbreviated checklist of typical opportunities within each of the five VRM process steps.
VRM Step 1: Inventory Vendors and Inherent Risks, Track Contract Performance
Standardize
- Use ERP feeds to populate vendor lists, business units served, responsible parties, contact information, vendor contract specifics, etc.
- Prepare missing information reports, distribute them to responsible parties.
- Crosscheck vendors against excluded persons and vendors’ databases.
- Catalog risk assessment policies (e.g., inherent risks associated with each type and level of information access, integration of risk management with RFP/RFQ process).
- Track measures per vendor
Customize
- Facilitate custom missing information memos.
- Accommodate multiple methods for missing information submission.
- Enable multiple sets of risk assessment policies, inherent risk assignments and weightings, and vendor performance measures per business unit, contract size, partnership status, etc.
VRM Step 2: Plan Vendor Assessments
Standardize
- Maintain inventory of prior assessment surveys, facilitate the creation of new surveys, track completion.
- Propose vendors to survey based on the inherent risk profile.
- Create a standard risk management calendar/schedule per vendor, prompt responsible parties, and track progress.
Customize
- Facilitate the creation of new surveys, like initial assessment, quarterly check-up, specific new threat questionnaires, etc.
- Vary criteria for selecting vendors to be surveyed based on business unit, contract type, risk profile, strategic importance, etc.
VRM Step 3 Design and Distribute Surveys, Assess Vendor Risk
Standardize
- Solicit vendor participation in the survey, monitor for completion, thank the vendor for completion, and populate the database.
- Score surveys, flag key risk factors, record adjustments and notes.
Customize
- Tag assessment questions for each survey by business unit, vendor type, security framework, etc.
- Set different standards for designating a survey as “complete” based on vendor’s or project’s strategic importance.
- Score surveys relative to unique policies set in step 1.
VRM Step 4: Generate Assessment Reports, Initiate Remediation
Standardize
- Update the VRM dashboard and reports.
- Track new VRM tasks per vendor on the master calendar, track updates, notify responsible parties.
Customize
- Tailor VRM dashboards and drilldowns based on audience preferences and requirements.
- Customize answer flagging per business unit, contract type, etc.
VRM Step 5: Manage Emerging Threats
Standardize
- Update vendor risk profile with continuous monitoring data feeds.
- Flag threats, notify responsible parties, record new tasks, assignments, and progress.
Customize
- Facilitate unique continuous monitoring data feeds per type of inherent risk, vendor, business unit, etc.
- Test alternative risk assessment algorithms.
GRC Overreach
A common complaint about GRC (Governance Risk Management & Compliance) solutions is that they go too far with VRM standardization, sacrificing customization for standardization. The result, sacrificing VRM effectiveness and risk reduction.
These solutions emphasize standardization because they deal with the whole enterprise’s internal cybersecurity. Then VRM is added along with other services such as disaster recovery and regulatory compliance to create a total business risk management solution. So, even without customization, GRC systems are highly complex. Adding customization is unthinkable … a bridge too far.
The Better Solution
Just because you have a GRC solution does not mean you need to rely on it exclusively for VRM. A customized VRM solution can automatically feed your GRC platform with primary outputs such as:
- Inherent risk profiles and vendor assessment scores
- Red flags for late vendor surveys, new potential risks
- Central risk management dashboard inputs
By integrating a customized VRM solution with GRC, you can have the best of both worlds: a fine-tuned VRM solution and enterprise-wide integration with risk management.
About the Authors
Mike Kelly is the CEO of ProcessBolt, Inc., a Saas company that automates regulatory compliance and third-party risk assessments both for companies issuing assessments and those responding to assessments. Before joining ProcessBolt, Kelly led and ultimately grew and sold several software and analytics businesses in a variety of industries from healthcare to business and legal services.
Gaurav Gaur is the CTO and Co-founder of ProcessBolt. He has an extensive background in cybersecurity, vendor management, and software engineering. Before starting ProcessBolt, Gaur was the VP of Software Development at NetSPI Inc., a cybersecurity-focused software and consulting firm.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
