As we have discussed in previous blogs, the focus on vendor relationships and the risks and responsibilities associated with them, is evolving rapidly. At the time of its birth, vendor management was near synonymous with cost management. This perspective was not only close-minded, but also destructive, as organizations neglected to uproot the value that their vendors could have provided.
Have you decided which vendor risk keeps you up at night yet? According to the results of a survey conducted during our webinar, 41% of our viewers were most concerned about their vendors falling victim to a data breach.
Data breaches have certainly drawn more and more attention towards vendor management over the past five years or so, and for good reason. Results from a recent Ernst & Young study highlight that 30% of surveyed organizations have experienced a breach caused by a third party within the past two years.
In response, regulators are attempting to ensure that organizations have the tools (such as the SOC for Cybersecurity) to deal with this, as well as the means to proactively mitigate vendor risks. However, this is but one of many areas that vendors present risk to an organization. We will list some of the others below.
- Strategic Risk – risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with stated strategic goals.
- Reputation Risk – risk arising from negative public opinion. Third party relationships that result in dissatisfied customers, interactions not consistent with policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information and violations of laws and regulations.
- Operational Risk – risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
- Transaction Risk – risk arising from problems with service or product delivery.
- Compliance Risk – risk arising from violations of laws, rules, or regulations, or from intentional or inadvertent non-compliance with internal policies or procedures or with company business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.
- Information Security Risk – risk arising from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.
- Conduct due diligence during sourcing.
- Perform a risk assessment and identify an appropriate risk rating.
- Implement risk-averse contract provision.
- Periodically evaluate the vendor to ensure the risk rating has not changed.
While vendor management has matured significantly in the past decade or so, there’s still one piece of the puzzle missing – a focus on the untapped value of vendors. Once this perspective is adopted, organizations can finally begin to take a disciplined and holistic approach to controlling costs, facilitating compliance, mitigating risk, and driving value out of vendor relationships.