Most Popular Posts

Subscribe by Email

Your email:

Browse by Tag

About the Risk Intelligence Blog

The Evantix Blog offers insight, tips and intelligence from leading risk authorities in enterprise vendor risk management and compliance.

Managing Vendor Risk, Performance and Compliance just got a whole lot easier || Evantix Risk & Compliance Portal ™  delivers a low cost high value solution to managing Vendor Exposure, Performance, Regulatory Compliance, Privacy and Information Risk across your entire portfolio of vendors and suppliers.

Risk Intelligence Blog

Current Articles | RSS Feed RSS Feed

6 Steps For Building a Vendor Risk Management Program

Posted by Rene Barraza on Mon, Jul 26, 2010 @ 10:39 AM
  
  
Add to delicious  delicious  
  

risk management programOne of the key problem areas of enterprise risk management is vendor risk.  Managing hundreds to thousands of vendors, suppliers, outsourcers and other third-party relationships is difficult in the best of financial times.  But with shrinking budgets and smaller staffs, how can vendor risk management be performed correctly? 

These same shrinking budgets are forcing more companies to cut costs by outsourcing critical processes and systems containing confidential information.  This makes the challenge of managing vendor risk and compliance even more difficult.

Business and regulatory mandates are pressuring executive level officers to focus on compliance to privacy requirements.  This detracts resources from business operations and revenue generation.   Moreover, the lack of standards or acceptable metrics to assess risk serves as a constant distraction for vendors completing multiple audits for their customers. Sometimes these audits are performed hundreds of times per year, costing the vendor time, money and the opportunity cost of not applying human capital to other projects.   

Many organizations are not able to adequately defend their selection of vendors or the ongoing use of those vendors. The mere task of performing due diligence and risk modeling on vendors is cost prohibitive and beyond the ability of the organization.

6 Steps to Establishing A Vendor Risk Management Program

Establishing a vendor risk management program is a challenging undertaking.  The process increases in complexity because of the number of participants from the internal organization (e.g. Procurement, Information & Physical Security, Legal and Regulatory Compliance) and the vendor (e.g. Sales, Security, Information Technology, Legal and Human Resources).

These six steps are key for establishing a cost-effective vendor risk management program:

  1. Corporate Governance: The place to start is with a strong internal governance system and policies.   Establishing a corporate-wide policy creates a solid foundation for the program. It is required before you can get all the organizations within the business to participate.
  2. Vendor Contracts: Contracts are the starting point from a vendor management perspective. Getting the necessary terms and conditions agreed upon is imperative from the beginning of the relationship.  Key areas of consideration are “right to audit” and “security requirements.” 
  3. Risk Assessments: There are three components of a complete vendor risk assessment: Relationship Risk, Business Profile Risk and Control Risk.  To perform due diligence, it is necessary to know what to review and what evidence to gather.  When performing a risk assessment, there are a number of high-risk controls to measure, and certain red flags that will alert the auditor to problems.
  4. Onsite Audit: The key to an effective on-site audit is being prepared.  Establish an audit plan that focuses the due diligence effort on critical areas that will result in correctable high impact findings. Watch for “red flags” that may indicate possible problems within the vendor’s environment.
  5. Reporting:  Concise audit results are critical in providing guidance for the different areas within the organization to review (e.g. Procurement, Legal and Security).  The organization should review the risks identified in the report and require the vendor to correct areas of weak control to be in compliance with organizational requirements.
  6. Risk Monitoring:  Ongoing risk monitoring is required to keep abreast of any significant changes to your vendor’s environment.  Key areas to monitor include the company’s financial health, business continuity plans and security controls.  A sudden change in any of these areas could significantly increase the risk the vendor poses to the organization.

Photo credit: mdavidford

About the Author:  James Christiansen is the CEO of Evantix and a global leader in information security, and he has held senior positions for some of the world’s largest companies. As the first information security officer at Visa, he created and implemented Visa’s global information security program. At General Motors, he held the position of Chief Information Security Officer (CISO) where he was responsible for global information security operations in all business units.  In his role of CISO at Experian Americas, he actively participated in vendor reviews and several high profile merger & acquisition assessments.

How can you more effectively manage third-party supplier risk?

managing third-party risk Download Third Party Risk Management: Critical Steps to Safeguard Your Business Relationships.  In this educational white paper, you’ll learn how new risk intelligence systems are helping companies establish programs that minimize vendor risk.

 

 

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics