In a post-pandemic world where business activities of all varieties have been thrust online – companies of various sizes are assuming more risk than ever. From small Mom and Pop’s shops to law firms to Fortune 500 companies, any activity done in a virtual setting has the potential to open a digital door to a cyberattack. This is true not only within your own organization but any other company that provides you with products or services. The risk you face from interacting online with manufacturers, suppliers, contractors, payment services, and other “vendors” is very real and needs to be identified, tracked, and mitigated continuously by your organization. This process is called Vendor Risk Management (VRM) or Third-Party Risk Management (TPRM) and is now a mission-critical topic for any organization looking to protect themselves from a breach or even possible litigation should they expose their client’s to potential risk as well.
Globalization demands TPRM
As the digital landscape expands rapidly, regulations are getting tighter and many companies now face increasing requirements or certifications to prove they are doing their due diligence in protecting the organizations they do virtual business with. Also, stakeholders, boards, and executives alike are closely scrutinizing risk and demanding more accountability from IT, Project Managers, and Department Heads as breaches are happening more frequently. The problem is that many people in these positions don’t have the time or resources to address these growing concerns. Add to this that it is incredibly hard to measure the risk your vendors are exposing you to and even more complex to track this through traditional means and TPRM becomes a monumental task. But guess what? The difficulty of this task is irrelevant – in a world suddenly siloed into digital interactions for nearly everything it is necessary and should not be taken lightly. The reality of conducting business online in a global world should probably be sinking in for you right about now and that a TPRM program is the only way forward.
The new norm: A robust risk management platform
If Covid has taught organizations anything, it is that the world of business can change without warning. As more people are working from home and will continue to do so, assessing your vendors for risk has become impossible to divorce from the survival of your business. When considering your Third-Party Risk Management strategy, one must understand that it’s not just a one-time or even monthly project, it is a continuous program of monitoring and assessing every organization you work with. The assumption must be that most of your vendors are risky, most of the time – not the other way around. The truth is that many companies do not have fully developed risk management programs if any at all. Another stark reality is every one of your vendors that has employees working from home now poses a significant risk to your organization.
Choosing a VRM program that works for you
At the end of the day, companies face a choice whether to DIY a third-party risk management program in-house or implement an outside solution. In deciding what to do, every company must first figure out what is most important to them: time, money, security, peace of mind – the choice is yours. TPRM (done right) is expensive and time-consuming when taken on with or without an industry partner. It demands constant cultivation and verification, which, when done solo, easily requires a full-time, highly-skilled employee dedicated to the cause. This is often hard to find and humans are notoriously failable, leaving your organization exposed. So, while it is true you can do your entire TPRM program using an IT manager up to his eyeballs in spreadsheets and emails, vendor risk management platforms are designed to do the work for you. They take the hassle, wasted hours, and even some of the risk of human error out of the equation – which is huge. The partner you choose should have a robust, cost and time-efficient interface that streamlines the process of managing vendors, reaching out to vendors, and verifying that the answers provided were true. Everything a VRM company does should be about putting hours back into the days of those you employ, aiding you in regulatory compliance, and (most importantly) reducing your organization’s risk of becoming a victim of a data breach or hack.
Who you choose as a VRM partner matters – like, a lot
As scrutiny from high-levels in organizations grows almost directly proportional to increased risk, the Third-Party Risk Management industry is poised to explode – ostensibly in the next 24 – 36 months but most assuredly well beyond. This means the market will be flooded with VRM companies rushing to meet an exponentially growing need for increased vendor monitoring. The problem businesses like yours and others will face is not finding a TPRM company you can work with, but rather, one you want to work with. Nearly all existing VRM companies automate at least some part of the vendor risk management process whether that’s vendor entry scoring, assessment creation, or distribution. So, when looking for the right VRM company to partner with, one could make a case that it is the little things that count.
First and foremost, is their platform attractive and easy to use? Because, if it is not, your employees likely won’t use it as extensively as they should.
Does the third-party risk company offer customization and outreach adapted to your developing needs? This is critical in a landscape where change is the only constant. What you need today may not look anything like what you will want tomorrow and you want a TPRM company that will find solutions to relentless change.
Do you think you will like working with them? This last question really comes down to the intangible human aspect. Look, no one has ever accused a Vendor Risk Manager of being the life of any party but interactions with them certainly don’t need to be boring. Finding a TPRM company with a little personality will go a long way as your working relationship with them develops. All things being equal, find a firm that has knowledgeable employees you enjoy conversing with.
Covid 19 did a lot to reveal weaknesses in systems across the board. Cybersecurity, for most organizations, was one of them. Regardless of what type of Third-Party Risk Management program you have or do not have – the time has come to review your online vulnerabilities and start planning for a future in which more and more data breaches from remote work will occur. This may involve hiring a VRM firm or focusing on adding in more robust internal risk processes. Either way, the best time to shore up your cybersecurity risks was yesterday – making today your next best option.