Hands building tower with wooden blocks showing how companies should carry out effective vendor risk management
The Secret Ingredient for Effective Vendor Risk Management by Marc Lotti, Partner at ACA Aponix

The Secret Ingredient for Effective Vendor Risk Management

Just a few years ago, companies ran their own payroll, benefits, recruiting, marketing and mainframe departments. But times have changed. In the current platform economy, almost every aspect of a company’s operations can be outsourced efficiently. The result is that companies interact with countless vendors daily.

But this change is a double-edged sword – while it increases efficiency, it also significantly increases danger from cybercrime. Companies now face an unprecedented level of vendor risk.

Today cybercrime is everywhere, impacting businesses and individuals across the globe. High-profile data breaches stemming from security lapses at the vendor have proven that a vendor’s cyber risk becomes the client’s cyber risk. Businesses today must establish an effective vendor risk management program to protect their business, clients and employees.

Yet things are not always that straightforward. Conducting a vendor risk assessment efficiently and cost-effectively in-house is anything but simple. And relying on yet another vendor – a software as a service (SaaS) provider specifically designed for third-party vendor risk management – is often insufficient.

The woes of in-house vendor diligence

Companies that recognize the need to conduct vendor due diligence often first attempt to do so in-house. They set aside time, people hours, and funds to get the job done. In the end, however, they find themselves beyond frustrated.

  1. Time-consuming work – An annual due diligence review of a single vendor can take 12 hours or more, depending on the depth of the review and type of service the vendor provides. To obtain a truly accurate and contextual profile of risk, a review must consider not just the vendor, but its service sector and the service itself. There is no shortcutting any part of this process; a thorough and accurate review is essential for identifying the risks unique to the relationship between a company and its vendor.
  2. People hours and staff commitment – As if this weren’t burdensome enough, the drain on manpower is significant. Staff are taken away from their normal duties to perform work that is not in their realm of expertise – their time and expertise could be better used elsewhere. Due diligence documents must be scoured for adequate scope and control, not to mention the follow-up on missing answers and requests for clarification – all of which are a tremendous drag on productivity.
  3. Increasing vendor burden – At the same time, the vendors themselves may be overwhelmed by all the requests they receive. Imagine the time and resources required to answer a vast variety of questions from possibly thousands of clients. Doing so can draw their attention away from providing services at the quality and vigilance their clients deserve.

Considering all of this, it’s no wonder the third-party vendor risk assessment process is rife with inefficiencies, frustration and, most importantly, missed risk indicators.

Why software alone is not good enough

Some companies believe this problem can be solved by a SaaS-based vendor risk assessment solution. After all, shouldn’t technology eliminate the frustration of manual diligence? Shouldn’t it speed up the process?

Simply put, these solutions cannot capture the full range of vendor risks present. Essentially, these solutions amount to an automated series of questions, sometimes with default risk categorizations, but not much more. They don’t provide the critical thinking required to “peel the onion” and perform a deep-dive analysis of vendor responses.

And on the vendor side, these solutions provide no relief at all. Vendors still need to answer the same questions, again and again, from client after client. They’re still distracted from providing their core services. They’re still tempted to provide glossed-over responses that hardly benefit the process in the long run.

Deploying a people-centric vendor risk clearinghouse

The idea of creating a holistic vendor risk strategy may seem daunting, but it can be done easily and with minimal budget spend when a company taps into the expertise of a dedicated team of information security risk analysts to administer smart due diligence questionnaires (DDQs) to all vendors, acting as the clearinghouse on behalf of both parties. This is not a one-size fits all process. A human-led DDQ process is highly tailored and customizable as it takes human interaction to capture the full range of vendor risks present.

Why are people so integral to the vendor risk assessment process? Asking a vendor to give up valuable information about itself puts it in a vulnerable position. Information security risk consultants act as a clearinghouse, applying a level of intuition and personal relationships to assess the vendor’s risk – also leveraging their industry knowledge of specific services. For example, an organization’s relationship with its 401(k) provider will be quite different than its relationship with its accounting provider.

The right solution to manage vendor risk

Gone are the days when companies handled all their operations in-house. In this complicated business world, using trusted vendors is essential. But with increased efficiency comes increased risk – assessing the security of those vendors is essential.

Doing that entirely in-house is inefficient, costly and ineffective. Solely relying on software as a solution doesn’t do the trick either.

The key is a human-centered approach that combines experienced diligence professionals powered by a vendor management clearinghouse system. Using that approach gives companies the true secret to effectively managing third-party vendor risk.