Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

Organizations are porous: the modern organization is not defined by brick and mortar walls but is a complex web of business relationships. These relationships span vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, intermediaries. It grows even more complex as there are nested relationships in subcontractors and supply chains. Approximately half of a typical organizations “insiders” are no longer employees but are third party relationships.

The issues organizations face in managing vendor and third party risks are growing. These range from growing challenges in anti-bribery and corruption compliance (e.g., UK Bribery Act, US FCPA, OECD Bribery Convention), human rights and slavery (e.g., US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, California’s Transparency in Supply Chains Act), environmental, health and safety, physical security, business continuity and more.

However, one of the growing challenges organizations face is information/cybersecurity across third party relationships, particularly vendor relationships. A significant number of information/cybersecurity breaches are the result of third party vendor relationships. It is not just IT related vendors that put organizations at risk, but could be a wide range of vendor relationships. The Target breach from a few years back was the result of a heating and air conditioning vendor (HVAC) that was broken into that had a connection to the Target network. With the Internet of Things (IoT) upon us, it has become critical for organizations to address information security in and across their third party relationships.

I am doing a series of educational webinars on this specific topic over the next three weeks. These are as follow:

Here is my specific advice on how to go about purchasing solutions for vendor and third party risk management:

Additionally, here are some of my research papers that I have published on this topic:

Increasing Exposure of Third Party Risks 

The Modern Organization is an Interconnected Mess of Relationships

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?

Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.


Additional resources on Third Party Management

Research Briefings

Upcoming Webinars

Written Research

Enabling 360° Insight & Control of Third Party Relationships    

The Extended Enterprise Demands Attention

The Modern Organization is an Interconnected Mess of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.[1]

Substitute ‘man’ with ‘organization’ and seventeenth-century English poet John Donne could be describing the post-modern twenty-first century organization: “No organization is an island unto itself, every organization is a piece of the broader whole.”

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations now struggle to adequately govern third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

  • The challenge: Can you attest to the governance, risk management, and compliance across the organization’s third party business relationships?
  • Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of the third party relationship. Silos leave the organization blind to the intricate relationships of risk and compliance that do not get aggregated and evaluated in context of the value of relationships and the organization’s goals, objectives, and performance.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others still require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible.  The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. The organization lacks an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches.  When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different solutions and processes for on-boarding and managing third parties, monitor third party risk and compliance, and manage relationships; the organization can never see the big picture.  This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on periodic or continual basis.
  • Inadequate processes to monitor changing dynamics. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Often, metrics through service level agreements (SLAs) and established key performance indicators (KPIs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework.

The bottom line: A haphazard and Wild West approach to third party management compounds the problem and does not solve it.  It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships.  Organizations often need to wipe the slate clean and approach third party management by design with an integrated process, information, and technology architecture that manages the ecosystem of third party relationships with real-time information about performance, risk, and compliance on the organization’s ability to reliably achieve its objectives.

Consider registering for one of these upcoming webinars on Third Party Management that GRC 20/20 is speaking on:

If you are looking for Third Party Management solutions to more effectively manage third party risk and compliance (e.g., vendor, supplier), check out the following Research Briefing (available on demand):

[1] English Poet John Donne’s Devotions Upon Emergent Conditions (1624) found in the section Meditation XVII.

Manage Third Party Risk Exposure in an Interconnected World

Realize that everything connects to everything else.
Leonardo da Vinci

The world is flat, risk is pervasive, and organizations have no boundaries. We operate in a global and interconnected world. Organizations are no longer defined by brick and mortar walls nor by employees. The term insider used to be a synonym for employee. Today, more than half of insiders in many organizations are not employees. Organizations are a complex web of vendors, suppliers, contractors, consultants, temporary workers, service providers, outsourcers, brokers, dealers, intermediaries and agents.

In this interconnected world; governance, risk management, and compliance (GRC) are no longer defined by traditional organization boundaries that no longer exist. The organization must holistically look at the web of relationships that form the organization and nest in deep supply chains and subcontractor relationships. Third party risk is the organizations risk. Their issues are your issues. Their compliance and ethics problems are your problems.

Consider the wit of Douglas Adams in this context . . .

The connections between causes and effects are often much more subtle and complex than we with our rough and ready understanding of the physical world might naturally suppose . . . Let me give you an example. If you go to an acupuncturist with a toothache, he sticks a needle instead into your thigh. Do you know why he does that . . .?
― Douglas Adams, Dirk Gently’s Holistic Detective Agency

The exposure organizations face from third party relationships is significant. These include:

  • Bribery, Corruption & Fraud
  • Business Continuity
  • Contractual
  • Financial
  • Environmental
  • Ethical
  • Geo-Political
  • Health & Safety
  • Human Rights, Trafficking & Slavery
  • Import/Export & Customs
  • Labor Standards
  • Legal
  • Privacy
  • Operational
  • Regulatory Compliance
  • Reputational
  • Sanctions
  • Security
  • Strategic
  • Sourcing

Third party regulation and legislation has been particularly active over the past few years. Consider a fraction of what is happening:

  • Bribery & Corruption. We have seen expanded and increased enforcement of the US FCPA, with a focus on effective compliance. The UK Bribery Act has been in place for a few years with enforcement happening. There also is expanding regulation globally on bribery and corruption.
  • Conflict Minerals. As part of the Dodd Frank Act, thousands of companies have gone through two years of compliance with conflict mineral requirements and reporting. US publicly traded companies have to trace tin, tantalum, tungsten, and gold to see if they come from the Democratic Republic of the Congo or nine surrounding countries known for crimes against humanity and report on this.
  • FTC Power to Sue in Data Breach. This past August the U.S. Court of Appeals for the Third Circuit affirmed in FTC v Wyndham the FTC powers to sue organizations in the event of a data breach. Given over half of insiders in many organizations are third parties and the variety of breaches that involved a third party, this is going to cause increased scrutiny and attention in third party risk management.
  • OCC Regulations of Third Party Risk Management. The OCC has significantly expanded vendor risk management requirements in financial services over the past several years, making this a board level issue. Besides a legion of banks asking me questions, I am getting regular inquiries for third party relationships of banks that are responding to the greater scrutiny of the banks they do business with.
  • PCI DSS. In version 3 of PCI DSS we have seen expanded requirements on IT vendor risk assessments in context of contractual requirements if you accept major credit cards. I fully expect this to expand further in the next version after the Target incident that exposed millions of credit cards and the doorway into the breach was a heating and air-conditioning vendor that had a connection to the Target network. A hacker breached this vendor, got into Target IT systems and compromised point of sale systems across Target.
  • U.K. Modern Slavery Act. This really surprises me as I am not seeing organizations reacting to it. This past October the Modern Slavery Act went into effect and impacts a wide range of organizations. Basically, if you supply goods or services, have any connection into the United Kingdom, such as a single employee, and do £36 million or more in revenue regardless of size of your UK operations, you need to prepare an annual Slavery and Human Trafficking statement detailing the steps it is taking to prevent slavery and human trafficking throughout its business and third party relationships (down into the depth of supply chains). The guidance given on this statement requests organizations detail:
    • Organization structure, operations, and map of supply chains
    • Policies and procedures related to slavery and human trafficking
    • Due diligence processes to prevent slavery and human trafficking
    • Risk assessment of the organization and suppliers where there is risk of slavery and human trafficking
    • Key performance indicators that the organization uses to benchmark effectiveness in preventing slavery and human trafficking
    • Training conducted with employees and third parties/suppliers in context of anti-slavery and human trafficking

These risks are complex and interconnected themselves. Third party risk cannot be managed in isolated and disconnected silos. It requires an integrated process of third party governance, risk management, and compliance throughout the lifecycle of third party relationships. However, many organizations manage third party risk in ad hoc siloed manners with different departments doing things in different ways, disconnected and redundant. These processes are usually inefficient and costly as they require significant amount of time compounded as the number of third party relationships grows in organizations.

An integrated and effective third party management process enables the organization to consistently manage the lifecycle of third party relationships across:

  1. On-boarding. Automate the process of standardizing the identification of third parties to work with and moving them through registration and on-boarding while collecting required third party information and conducting appropriate due-diligence in context of the nature of the relationship. This includes third party:
    • Identification
    • Qualification
    • Contracting
    • On-boarding
  2. Ongoing communication processes. The organization manages the ongoing periodic tasks of communications, attestations and interactions with third parties. This includes cyclical and event driven interactions with each third party on:
    • Policies
    • Training
    • Attestation
    • Self-assessments/questionnaires
    • Reporting
  3. Monitoring processes. Enable the management and automation of the array of processes to continuously monitor third party relationships over their lifecycle in the organization. This includes third party:
    • Performance monitoring
    • Risk monitoring
    • Compliance monitoring
    • Ongoing due diligence monitoring
    • Issue reporting & resolution
    • Audit & inspections
  4. Forms & approvals. Manage the development and automation of internal processes to collect and report information and route things for approval in context of third party relationships. This includes:
    • New vendor/supplier request
    • Gifts, hospitality & entertainment
    • Political & charitable contributions
    • Facilitated payments
  5. Metrics & reporting. Through a solid information architecture and reporting engine, the organization brings together the data elements of the entire lifecycle to provide end-to-end reporting and metrics on third party relationships at the relationship level, risk area, or in aggregate.
  6. Renewal or Off-boarding. Utilizing the detailed history of interactions, issues, performance, non-conformance, and evolving risk scenarios, the organization manages the processes to evaluate, maintain, and renew third party relationships. All good things must come to an end, the third party management lifecycle is concluded by managing the tasks and details many organizations neglect, or forget, in off-boarding relationships that are no longer needed.

To accomplish an integrated third party management process requires that the organization formulate an overall third party management strategy and process that spans roles and functions involved. This is supported by an integrated and consistent third party information and technology architecture to provide a holistic system of record and accountability across internal functions and third parties.

However, the market has a maze of solutions to offer organizations. GRC 20/20 current tracks and monitors over 130 third party management technology solutions and over 50 third party information/content offerings. Some of these solutions are broad and meant to support a holistic integrated third party management program while others are very function and issue specific. Navigating the maze of offerings and selecting the right elements to build a third party information and technology architecture is not a trivial task. GRC 20/20 is here to help organizations understand the range of solutions available and select the right solution(s) for each organization specific third party management strategy and process, whether this is an integrated third party management strategy as proposed, or for a specific function or issue. Organizations looking for third party management solutions and intelligence can get objective insight through:

[add_single_eventon id=”2691″ show_exp_evc=”yes” open_as_popup=”yes” ]