GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
At our recent webinar with ITGRCFORUM we discussed practical steps to scale your vendor risk management program. Over 500 attendees joined the webinar and learned 5 practical steps they could implement to scale their third-party vendor risk management programs, which address the most common vendor risks and problems.
At our recent webinar with ITGRCFORUM we discussed The practical steps to scale your vendor risk management program. The group of panelists: Todd Boehler, Scott Schneider, Jake Olcott, and LogicGate’s Matt Kunkle are all experts in the GRC industry and have a clear understanding of the most pressing needs organizations have related to vendor risk management.
Over 500 attendees joined the webinar and learned 5 practical steps they could implement to scale their third-party vendor risk management programs, which address the most common vendor risks and problems.
Common Vendor Risks and Problems
- Not Identifying All vendors
- No documented policies/procedures
- Don’t know their contractual obligations
- No information security or privacy training
- Posting client data to social media
- Using personal data for research and testing
- Selling personal data that was entrusted to them
- No definition of “personal information”
- Cloud services often believe they are exempt
- Believe others are responsible
- No risk management activities
- No use of encryption
- Subcontracting
5 Practical Steps To Scale Your VRM Program:
1. How to Gain Executive Buy-In for Your VRM program
Executives and boards are focused on top of the line metrics, and often a VRM program does not increase revenue, so it can be difficult to demonstrate the need for a VRM program. In order to showcase the value of a VRM program to your board and executives consider these four things:
- What KPI’s are most important to the board or executive - Tying those metrics back to operational and reputational risk is a very effective way of demonstrating the value of a robust VRM program.
- Create a culture of risk and compliance within your organization - Empower every employee to partake in risk and compliance.
- Establish the ROI - Clearly, demonstrate the benefits to spending the money on a VRM program. It creates operational efficiency, drives data-based decision making, and is necessary for a solid cyber-security risk program.
- A VRM program is a building block for an organization's overall integrated risk management program - VRM programs are one piece to the overall risk management strategy. Incorporating robust and agile technology creates a comprehensive risk management program that impacts policy, controls, the bottom line, and the organizational reputation.
2. Leverage Automation to Scale your VRM Program
Scaling a program means you have visibility into the vendor or supplier ecosystem when you need it, how need it, and in the most cost efficient way. Of those attending the webinar, 43% state that a lack of human resources is their biggest obstacle to scaling their VRM program.
While questionnaires and surveys have their place in a VRM program, it is difficult to scale using that approach alone. Utilize tools that can automate data collection, retention, and analysis helps to scale your VRM program that meets your organization’s needs. A truly scalable system will be adaptable as your organization adds new vendors or suppliers.
3. Stop Using Static Spreadsheet Based Third Party Assessments
Current standard assessments utilize spreadsheets and email to track and monitor third party vendor risk. In fact, 38% of the webinar attendees have a manual process for third-party risk management and 16% had no program in place at all. Static spreadsheets leave the organization frustrated with ample data that can’t be analyzed or put into policy and procedure, and the third party frustrated due to wasted time answering hundreds of forms from various organizations. When organizations move to a global risk exchange and dynamic assessments they save time, lower costs, reduce the burden on third parties, and allow the organization to truly manage risk.
Utilizing technology to perform third-party risk assessments allows the organization to closely monitor third-party risk without being a burden on the vendor.
4. Rationalize Your Due Diligence
VRM is not a one size fits all program. Therefore, your organization should not cover all third-party organizations at the same level. Some tips for rationalizing your due diligence:
- Have a good involvement with a line of business
- Understand what are the critical pieces of information to gather from each of the third-parties.
- Know that the organization always owns the risk
- Consider all aspects of a vendor’s profile
- Create a holistic view of your vendor population
- Separate and focus on the right third-parties with the right amount of risk coverage
5. Ensure Vendor Breaches Don’t Take Down Your Business
Ensure that your vendors are contractually required to report breaches to your organization as soon as possible. Maintain documentation of all vendor’s plans and preparedness of breaches and breach management components. It’s critical you know your legal requirements if your vendor has a breach. Often it’s the organization that is responsible for the breach, not the third party vendor.
Things to Consider Before You Buy A VRM
- What program do you want in place?
- How robust does your program need to be?
- What do we want to accomplish with the program?
- How many vendors are we assessing?
- What’s the frequency of assessments?
Once the framework is in place, then evaluate how you operationalize that program.
Many organizations are coming from large VRM platforms that are difficult to implement and use. Before purchasing a VRM platform, look for these criteria:
- Ease of use- consider the admin perspective and the business user perspective- if the business user can’t navigate the system, then it won’t be adapted enterprise-wide
- Configurability- Can the program be customized to your organization
- A flexible VRM program that will evolve with the organization
- Affordability
- Functionality
LogicGate’s Third-Party Risk Solution Meets Your Needs
LogicGate’s Third Party Risk Management solution is tailored to your organization’s needs. It allows you to create custom scoring rules for your vendors, build custom assessment forms, and customizes workflows to match your approval processes that integrates with your current procurement, contracting, and accounts payable processes. With a single source of truth, your organization will increase risk visibility and easily track mitigation and remediation activities with all your third party vendors.
The risk and compliance industry is seeing changes in the demands of the market and regulations. Regulators are no longer satisfied with simple spreadsheets and emails as a form of tracking and mitigating third party vendor risk. Utilizing LogicGate’s Third Party Risk Management solution will help your organization create a culture of risk and compliance that will scale your automated VRM program and increase risk awareness.
