The Business Case For Proactive Vendor Risk Management

The business case for vendor risk management can be summed up in two words: do it. That's because vendor risk management is really not an option any more, it's a requirement for doing business. Because of this imperative, many companies focus on vendor risk management as something to be done as cheaply as possible

This is like doing recruiting as cheaply as possible, or doing accounting as cheaply as possible. The unspoken corollary is “Cut corners if you need to.

This negative approach to vendor risk management can be very detrimental to relationships with vendors and customers and can detract from a company's ability to meet regulatory responsibilities.

In vendor risk management, there are other factors aside from cost that businesses can optimize and be proactive about. Instead of trotting that tired old excel spreadsheet out once per year, build quality into the vendor risk management function. Here are three benefits of adopting a proactive vendor risk management process:
 
1. Stay ahead of the regulatory curve
Companies can use vendor risk management as an opportunity to stay ahead of changes in industry regulations. In most industries, regulations become more and more stringent with each new update, they don’t get easier. For example, PCI will soon finalize its 2.0 PCI-DSS standard, and companies are already scrambling to update their systems and controls to comply with the more stringent security measures. Companies who proactively manage their vendor risk can stay ahead of regulatory updates like these. Companies that take a reactive approach will be pressed to spend extra time and money on hasty solutions, and may miss strategic opportunities as a result.

2. Leverage risk to create more effective contract terms
Traditionally, contracts with a third party vendor that involve sensitive or confidential data or information will include the following two contract terms: 1) Vendor shall keep all of the information secure, and 2) Customer has the right to review the vendor's security. These terms have been in contracts for decades, yet breaches continue to occur because all too often neither party understands the specific implications of the terms. The who, what, where, when and why are all missing from such contract terms.  

Businesses should leverage risk up front to build contracts that specify certain controls. Contract terms can indicate when reviews will take place and even set up contingency reviews under certain conditions. For example, a contract might specify that if there is a breach in the vendor's system, the customer will be notified within 30 days. This also gives companies the ability to build contract terms, which apply more rigorous monitoring and controls to risky processes and sensitive data sets. Perhaps most importantly, there is no better way to communicate the importance of information security than through the contracting process. And when vendors adjust their operations and systems to comply – or even lead – proactive vendor risk management is a great way to recognize this and elevate the relationship.

3. Improve vendor relationships
Broaching a proactive approach to risk management during contract negotiation can improve your company's relationship with a vendor. Taking a proactive risk management approach means you'll be working with the vendor to mitigate risks. A proactive approach builds on setting up specific contract terms by providing reporting, tracking the vendor commitments to mitigate controls and documenting the results. A proactive stance will save the vendor time and money in the long run, making you a more valued client. It is also likely that the vendor has many other clients with security needs similar to yours.The vendor can then build security into its product value proposition, by passing on the efficiencies and savings achieved through your agreement, to other customers. I’ve seen many examples where a vendor – after a breach and resultant operations changes to improve security – has redone their marketing materials to highlight their commitment to security.

These benefits build a compelling business-case to leave the reactive, bare-minimum approach to vendor risk management behind. Companies who opt for a proactive approach to vendor risk management, will effectively mitigate risks and gain a more efficient and rewarding client-vendor relationship. The real business case for proactive vendor risk management should be: do it, and do it well.

About the Author: James M. Anderson is President of Professional Assurance, LLC, an advanced enterprise security consultancy.  Over his 30-year career, he has served as Vice President, Global Information Security Services for Visa, head of the information security unit of Morgan Stanley and as Director of Security and Information Services at Lexis-Nexis, Inc.  He holds the CISSP, CISM and CGEIT certifications.  You can follow his writing on the Evantix blog or connect with him on LinkedIn.

 Learn how risk assessments can streamline vendor compliance and score vendor risk.

Shared assessments are an efficient and powerful way to streamline vendor compliance and mitigate risk.  Schedule a free trial of the Evantix Risk Manager and start taking control of your supplier compliance today.