Vendor risk management (VRM) is getting increasing attention at almost every company because the dependencies on third parties need to be better scrutinized. Not surprisingly, VRM programs typically focus, often exclusively, on data security. However, VRM is integral to other aspects of supply chain resilience, including privacy compliance, financial viability, ESG and sustainability practices, sanctions compliance, brand threats (e.g., labor practices), vendor concentration, geopolitical risk, shipping delays owing to extreme weather and inaccessible routes and ports, and dislocations attributable to n-tier dependencies.
Here are some considerations for operationalizing an effective, broad-based VRM program.
Building the Case. C-level executives from across a company have a stake in VRM. The 2013 breach at Target Corporation popularized the notion that a company’s data security is only as strong as its weakest link, and insecure vendors remain a major source of data breaches today. Vendors can hold and process sensitive data, so VRM is essential for compliance with privacy regulations as well. CFOs, internal auditors, and enterprise risk managers are attentive to technology controls in an increasingly interconnected business ecosystem. Procurement and supply chain professionals have a natural bias for reliable, secure and compliant vendors. Chief marketing officers and CEOs care about brand reputation and adherence to ESG and sustainability practices. Legal and Compliance are responsible for ensuring that the company, and its vendors, comply with trade and related sanctions. VRM programs are key elements of IT control frameworks such as NIST and ISO, and are required to become SOC 2 compliant.
These constituents establish program governance with board-level support that is geared toward continuous improvement and is independent of the businesses they support.
Vendor Identification and Classification. Vendor records must be gathered and analyzed. Legal departments strive to be repositories for all vendor contracts, but documents often reside uncatalogued in the businesses, or they can be expired or missing. Scanning tools are needed to capture the increasing reliance on unsanctioned, cloud-based (SaaS) vendors, a consequence of ‘shadow IT.’
Vendors should be classified into tiers based on various considerations so that the most critical get disproportionate attention. For example, tier 1 vendors deserve more scrutiny than others as they typically have a network connection and/or hold a company’s sensitive information.
Vendor Optimization. Once the vendor community is defined, opportunities emerge to steer more business to fewer, better qualified providers that adhere to more rigorous levels of service at lower cost.
Staging the Implementation. VRM is a marathon, not a sprint. It is advisable to implement a program in stages, and build on quick wins rather than risk failure by starting with overly ambitious goals. Start with a focus on a single business unit or geographic area, and limit your near-term mission to a single risk such as data security before adding others such as financial or brand risk, and concentrate on your tier 1 vendors before expanding to the entire vendor community.
Rules of Engagement. Every vendor is unique, so engaging any of them requires preparation, open lines of communication, and contextual awareness. The VRM program leader determines the inherent and, based on mitigating factors, residual risk, and provides context to the vendor’s business relationship owner and Procurement, who weigh the risks of engagement relative to alternative providers. There are no risk-free vendors.
Tools of the Trade. Tools that enable companies to manage the considerable work at scale include (i) platforms that automate assessment and related workflows, score risk, and create reports, and (ii) selected data feeds that refine the risk scoring process.
Gathering timely, accurate data from relevant parties, for activities as varied as privacy, ESG and data security, can feel like an exercise in herding cats. Platforms provide templates that can be tailored to solicit the exact data needed for each assessment. Workflow automation reduces the time needed to collaborate with all responsible parties involved in the vetting and monitoring process, and creates an audit trail. Leading platforms also provide guidance on regulatory requirements and include contract management functionality.
Cyber risk ratings services have become a popular, supplemental assessment tool. They measure all the externally visible risk factors that indicate vulnerability to a data breach, conveyed in an easy-to-follow, numerical or letter grade rating. While not a comprehensive assessment, ratings offer a scalable, cost-effective and, most important, continuous perspective on a vendor’s security posture, promoting interaction between customer and vendor when compromising issues arise. Ratings have ushered in an era of cyber transparency that is influencing B2B market share and can become benchmarks in service level agreements.
With prospects for a global recession mounting, companies should systematically assess the financial viability of its vendors. Access to historical financial statements is only a start. The goal is to develop projections to model future default risk, and there are innovative new firms that fill this need.
ESG and sustainability programs are increasingly popular but the components vary widely from company to company. Standards such as those provided by GRI and SASB make it feasible to score programs to make relative comparisons. In addition, there are firms that provide independent assessments to help measure and compare company performances.
There are data sources that address risks other than data security, financial risk and ESG too.
Conclusion. Too many companies still spend more time scrutinizing employees and job candidates than they do the firms that perform work for them on an outsourced basis or provide vital products and services. VRM programs create essential transparency and trust in an interconnected world.
Craig Callé is CEO of Source Callé LLC, a consulting firm focused on data security, GRC, vendor risk, ESG and privacy. He is a former CFO of Amazon’s Digital Media and Books businesses and other companies, and was an investment banker at Salomon Brothers. Prior to starting his firm, he was chief strategy officer at SHI International.