With 2020 behind us, now is a great opportunity to identify some of the vendor risk management challenges we faced and to identify some best practices to follow in 2021.
Last year, largely due to the COVID-19 pandemic, risk management professionals took a good, hard look at their organization’s practices with regard to vendor and third-party risk. 2020 was a wake-up call for those who haven’t gotten around to establishing third-party risk management programs. Now more than ever, your organization needs to make sure that risks brought on by the use of vendors and other third parties are identified, assessed and managed properly. Here are some challenges (and related best practices for 2021) that were brought to the forefront in 2020:
1. Blurred Lines Between “Risk” and “Criticality – While similar, these two terms are not the same. Not all of your vendors present the same level of criticality to your organization. Just the same, not all of your vendors present the same level of risk. If a vendor is high-risk (let’s say, because they have access to a vast amount of your customer’s non-public information/NPI), that doesn’t necessarily mean that your operations would come grinding to a halt if something happened to that vendor (i.e. they might be risky, but they don’t directly support one of your critical business functions).
- 2021 Best Practice: Organizations often assume that high-risk vendors are the same as critical vendors. These are two separate concepts. Heading into 2021, take a second look at how you assess and segment your vendors (both initially and on an ongoing basis). With regard to criticality, make sure you coordinate with your Enterprise Risk or Business Continuity teams to define your organization’s business-critical functions (then determine if any of your vendors directly support those functions). With regard to risk, make sure you are asking the right questions of your business units (internally) to determine which categories of risk your vendors may be exposing you to (i.e. information security, financial, compliance, operational, etc.)
2. Lack of Proper Business Continuity/Contingency Plans – 2020 put business continuity and contingency planning front and center. The COVID-19 pandemic forced companies of all sizes to (in some cases, overnight) change the way they conduct business. The best example of this is the massive shift from in-office work to a work-from-home environment that occurred this year. While this fundamental shift in the way we work likely impacted your organization, your vendors were likely no different. If you didn’t have plans or assurances in place to maintain business resiliency when the pandemic hit, 2020 was probably a wakeup call.
- 2021 Best Practice: To reiterate the first point made above, make sure you are able to identify all your vendors that are fundamental to your critical operational activities. Without these vendors, your organization could not function. Then, ensure you have a formal process to manage business continuity on an ongoing basis (not only in response to a major event like COVID-19).
3. Reliance on Due Diligence Questionnaires – Due diligence questionnaires have long been the staple of vendor risk management programs. These are often lengthy forms/assessments, completed by vendors and assessed by your organization. While not specifically a challenge unique to 2020, due diligence questionnaires often cause a serious bottleneck in the process of onboarding a new vendor and are time/resource intensive when being used during the ongoing vendor monitoring process. Organizations scrambled in 2020 in response to the pandemic and in some cases sent even more questionnaires to their vendors to ensure all risks were assessed. This obviously causes vendor fatigue and relies on your organization having the appropriate time/resources to effectively assess all questionnaire responses.
- 2021 Best Practice: While due diligence questionnaires certainly won’t go away (they do give you valuable insight into a vendor’s operations and security posture), consider supplementing due diligence questionnaires with business and data intelligence tools. Rather than relying on a periodic (let’s say once per year) questionnaire response from you vendor, these tools give you actual, real-time information into the risks you are most concerned with.
4. Not Enough Focus on 4th Parties – It’s hard enough sometimes for organizations just to get a handle on all of their third-party vendors. But what about your vendor’s vendors? Fourth party risk is becoming a topic of increasing importance by a number of regulators (as an example, see the OCC updated it’s FAQs on third party risk to include more guidance on fourth parties) and the trend is only expected to continue.
- 2021 Best Practice: If you haven’t done so already, make sure you have an accurate listing/inventory of your third-party vendors (consider performing vendor inventory validations by comparing your vendor list to an AP report, or by asking Business Units to verify that your vendor list looks complete). From there, focus on your most critical vendors and document which vendors they use to support the product/service they are providing you (i.e. your fourth parties). Then assess whether or not you vendors have policies and procedures in place to manage their own vendors. If not, that responsibility will fall on you. Check out this article for a number of best practices on fourth party risk management.
As 2020 ends and 2021 begins, our vendor risk management specialists are here and ready to help your organization manage your third-party vendor relationships with total confidence. Whether it’s updating a risk assessment form, creating a plan to mature your existing vendor risk management program, or anything in between… we are here if you need us.
Author: Josh Angert
Job Title: Consulting Manager
Organization: Vendor Centric