Get Instant Access
to This Blueprint

Vendor Management icon

Identify and Manage Regulatory and Compliance Risk Impacts on Your Organization

It is easier for prospective clients to find out what you did wrong than that you fixed the issue.

More than at any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

It is increasingly likely that one of your vendors, or their n-party support vendors, will fall out of regulatory compliance. Therefore, organizations must protect themselves by creating better mechanisms to hold their n-party vendors accountable and validate that they comply.

Our Advice

Critical Insight

  • Identifying and managing a vendor’s potential regulatory impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations.
  • Organizational leadership is often taken unaware by changes, and their plans lack the flexibility to adjust to significant regulatory upheavals.

Impact and Result

Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

  • Prioritize and classify your vendors with quantifiable, standardized rankings.
  • Prioritize focus on your high-risk vendors.
  • Standardize your processes for identifying and monitoring vendor risks with our Regulatory Risk Impact Tool to manage potential impacts.

Identify and Manage Regulatory and Compliance Risk Impacts on Your Organization Research & Tools

1. Identify and Manage Regulatory and Compliance Risk Impacts to Your Organization Storyboard – Use the research to better understand the negative impacts of vendor actions to your brand reputation.

Use this research to identify and quantify the potential regulatory impacts caused by vendors. Use Info-Tech's approach to look at the regulatory impact from various perspectives to better prepare for issues that may arise.

2. Regulatory Risk Impact Tool – Use this tool to help identify and quantify the operational impacts of negative vendor actions.

By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.


Identify and Manage Risk Impacts on Your Organization

It is easier for prospective clients to find out what you did wrong than that you fixed the issue.

Analyst perspective

Organizations must understand the regulatory damage vendors may cause from lack of compliance.

Frank Sewell.

The sheer number of regulations on the international market is immense, ever-changing, and make it almost impossible for any organization to consistently keep up with compliance.

As regulatory enforcement increases, organizations must hold their vendors accountable for compliance through ongoing monitoring and validation of regulatory compliance to the relevant standards in their industries, or face increasing penalties for non-compliance.

Frank Sewell,

Research Director, Vendor Management

Info-Tech Research Group

Executive Summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

More than at any previous time, our world is changing rapidly. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

It is increasingly likely that one of your vendors, or their n-party support vendors, will fall out of regulatory compliance. Organizations must protect themselves by creating better mechanisms to hold their n-party vendors accountable and validate that they comply.

Identifying and managing a vendor’s potential regulatory impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations.

Organizational leadership is often taken unaware by changes, and their plans lack the flexibility to adjust to significant regulatory upheavals.

Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

Prioritize and classify your vendors with quantifiable, standardized rankings.

Prioritize focus on your high-risk vendors.

Standardize your processes for identifying and monitoring vendor risks with our Regulatory Risk Impact Tool to manage potential impacts.

Info-Tech Insight

Organizations must evolve their risk assessments to be more adaptive to respond to regulatory changes in the global market. Ongoing monitoring of the vendors who must comply with industry and governmental regulations is crucial to avoiding penalties and maintaining your regulatory compliance.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

The image contains a cube that is divided into 6 asymmetrical to highlight the six components of vendor risk. Strategic, Security, Regulatory & Compliance, Financial, Reputational, Operational.

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:

This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Regulatory and Compliance risk impacts

Potential losses to the organization due regulatory and compliance incidents.

  • In this blueprint we’ll:
    • Explore regulatory and compliance risks and their impacts.
    • Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to identify, manage, and monitor vendor performance.

The image contains a cube that is divided into 6 asymmetrical to highlight the six components of vendor risk. Strategic, Security, Regulatory & Compliance, Financial, Reputational, Operational. Regulatory & Compliance is highlighted on the cube.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them and avoid penalties.

When the unexpected happens, being able to adapt quickly to new priorities and regulations ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

45%

Have no visibility into their upstream supply chain, or they can only see as far as their first-tier suppliers.

2022 McKinsey

61%

Of compliance officers expect to increase investment in their compliance function over the next two years.

2022 Accenture

$770k+

Breaches involving third-party vendors cost more on average.

2022 HIT Consultant.net

Regulatory Compliance

Consider implementing vendor management initiatives and practices in your organization to help gain compliance with your expanding vendor landscape.

Your organizational risks may be monitored but are your n-party vendors?

The image contains a cube that is divided into 6 asymmetrical to highlight the six components of vendor risk. Strategic, Security, Regulatory & Compliance, Financial, Reputational, Operational.

Review your expectations with your vendors and hold them accountable.

Regulatory entities are looking beyond your organization’s internal compliance these days. More and more they are diving into your third-party and downstream relationships, particularly as awareness of downstream breaches increases globally.

  • Are you assessing your vendors regularly?
  • Are you validating those assessments?
  • Do your vendors have a map of their downstream support vendors?
  • Do they have the mechanisms to hold those downstream vendors accountable to your standards?

Regulatory Guidance and Industry Standards

Are you confident your vendors meet your standards?

Identify and manage regulatory and compliance risks

Environmental, Social, Governance (ESG)
Regulatory agencies are putting more enforcement on ESG practices across the globe. As a result, organizations will need to monitor the changing regulations and validate that their vendors and n-party support vendors are adhering to these regulations, or face penalties for non-compliance.

Data Protection
Data Protection remains an issue in the world. Organizations should ensure that the data their vendors obtain remains protected throughout the vendor’s lifecycle, including post-termination. Otherwise, they could be monitoring for a data breach in perpetuity.

Mergers and Acquisitions
More prominent vendors continuously buy smaller companies to control the market in the IT industry. Therefore, organizations should put protections in their contracts to ensure that an IT vendor’s acquisition does not put them in a relationship with someone that could cause them an issue.

What to look for

Identify regulatory and compliance risk impacts.

  • Is there a record of complaints against the vendor from their employees or customers?
  • Has the vendor been cited for regulatory compliance issues in the past?
  • Does the vendor have a comprehensive list of their n-party vendor partners?
    • Are they willing to accept appropriate contractual protections regarding them?
  • Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
  • Does the vendor operate in regions known for regulatory violations?
  • Is the vendor willing to make concessions on contractual protections, or are they only offering “one-sided” agreements with “as-is” warranties?

Prepare your vendor risk management for success

Due diligence will enable successful outcomes.

  1. Obtain top-level buy-in; it is critical to success.
  2. Build enterprise risk management (ERM) through incremental improvement.
  3. Focus initial efforts on the “big wins” to prove the process works.
  4. Use existing resources.
  5. Build on any risk management activities that already exist in the organization.
  6. Socialize ERM throughout the organization to gain additional buy‑in.
  7. Normalize the process long term, with ongoing updates and continuing education for the organization.

(Adapted from COSO)

How to assess third-party risk

  1. Review Organizational Regulations
  2. Understand the organization’s regulatory risks to prepare for the “What If” game exercise.

  3. Identify & Understand Potential Regulatory-Compliance Risks
  4. Play the “What If” game with the right people at the table.

  5. Create a Risk Profile Packet for Leadership
  6. Pull all the information together in a presentation document.

  7. Validate the Risks
  8. Work with leadership to ensure that the proposed risks are in line with their thoughts.

  9. Plan to Manage the Risks
  10. Lower the overall risk potential by putting mitigations in place.

  11. Communicate the Plan
  12. It is important not only to have a plan but also to socialize it in the organization for awareness.

  13. Enact the Plan
  14. Once the plan is finalized and socialized, put it in place with continued monitoring for success.

Adapted from Harvard Law School Forum on Corporate Governance

Insight summary

Regulatory risk impacts often come from unexpected places and have significant consequences. Knowing who your vendors are using for their support and supply chain could be crucial in eliminating the risk of non-compliance for your organization. Having a plan to identify and validate the regulatory compliance of your vendors is a must for any organization, to avoid penalties.

Insight 1

Organizations fail to plan for vendor acquisitions appropriately.

Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans around replacing critical vendors purchased in such a manner?

Insight 2

Organizations often fail to understand how n-party vendors could place them in non-compliance.

Even if you know your complete third-party vendor landscape, you may not be aware of the downstream vendors in play. Ensure that you get visibility into this space as well and hold your direct vendors accountable for the actions of their vendors.

Insight 3

Organizations need to know where their data lives and ensure it is protected.

Make sure you know which vendors are accessing/storing your data, where they are keeping it, and that you can get it back and have the vendors destroy it when the relationship is over. Without adequate protection throughout the lifecycle of the vendor, you could be monitoring for breaches in perpetuity.

Identifying regulatory and compliance risks

Who should be included in the discussion.

  • While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
  • Getting input from regulatory risk experts within your organization will enhance your long-term potential for successful compliance.
  • Involving those who not only directly manage vendors but also understand your regulatory requirements will aid in determining the path forward for relationships with your current vendors, and identifying new emerging potential partners.

See the blueprint Build an IT Risk Management Program

Review your risk management plans for new risks on a regular basis.

Keep in mind Risk = Likelihood x Impact (R=L*I).

Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent

Managing vendor regulatory and compliance risk impacts

How could your vendors fall out of compliance?

  • Review vendors’ downstream connections to understand thoroughly with whom you are in business.
    • Monitor their regulatory stance as it could reflect on your organization.
  • Institute proper vendor lifecycle management.
    • Make sure to follow corporate due diligence and risk assessment policies and procedures.
    • Failure to consistently do so is a recipe for disaster.
  • Develop IT risk governance and change control.
  • Introduce continual risk assessment to monitor the relevant vendor markets.
    • Regularly review your regulatory requirements for new and changing risks.
  • Be adaptable and allow for innovations that arise from the current needs.
    • Capture lessons learned from prior incidents to improve over time, and adjust your plans accordingly.

Organizations must review their regulatory risk appetite and tolerance levels, considering their complete landscape.

Changing regulations, acquisitions, and events that affect global supply chains are current realities, not unlikely scenarios.

Ongoing Improvement

Incorporating lessons learned.

  • Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
  • When it happens, follow your incident response plans and act accordingly.
  • An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
  • Use the lessons learned document to devise, incorporate, and enact a better risk management process.

Sometimes disasters occur despite our best plans to manage them.

When this happens, it is important to document the lessons learned and update our plans.

The “what if” game

1-3 hours

Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

  1. Break into smaller groups (or if too small, continue as a single group).
  2. Use the Regulatory Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
  3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.
Input Output
  • List of identified potential risk scenarios scored by regulatory-compliance impact
  • List of potential mitigations of the scenarios to reduce the risk
  • Comprehensive regulatory risk profile on the specific vendor solution
Materials Participants
  • Whiteboard/flip charts
  • Regulatory Risk Impact Tool to help drive discussion
  • Vendor Management – Coordinator
  • Organizational Leadership
  • Operations Experts (SMEs)
  • Legal/Compliance/Risk Manager

High risk example from tool

The image contains a screenshot demonstrating high risk example from the tool.

How to mitigate:

Contractually insist that the vendor have a third-party security audit performed annually, with the stipulation that they will not denigrate below your acceptable standards.

Note: Even though a few items are “scored” they have not been added to the overall weight, signaling that the company has noted but does not necessarily hold them against the vendor.

Low risk example from tool

The image contains a screenshot demonstrating low risk example from the tool.

Summary

Seek to understand all regulatory requirements to obtain compliance.

  • Organizations need to understand and map out their entire vendor landscape.
  • Understand where all your data lives and how you can control it throughout the vendor lifecycle.
  • Those organizations that consistently follow their established risk assessment and due diligence processes are better positioned to avoid penalties.
  • Bring the right people to the table to outline potential risks in the market and your organization.
  • Incorporate “lessons learned” from prior incidents into your risk management process to build better plans for future issues.

Keeping up with the ever-changing regulations can make compliance a difficult task.

Organizations should increase the resources dedicated to monitoring these regulations as agencies continue to hold them more accountable.

Related Info-Tech Research

Identify and Manage Financial Risk Impacts on Your Organization

  • Vendor management practices educate organizations on potential financial impacts that vendors may incur and suggest systems to help manage them.
  • Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Manage Reputational Risk Impacts on Your Organization

  • Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
  • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

Identify and Manage Strategic Risk Impacts on Your Organization

  • Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
  • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

Info-Tech Insight

It is easier for prospective clients to find out what you did wrong than that you fixed the issue.


Bibliography

Alicke, Knut, et al. "Taking the pulse of shifting supply chains", McKinsey & Company, August 26th 2022. Accessed October 31st
Regan, Samantha, et al. "Can compliance keep up with warp-speed Change?", accenture, May 18th 2022. Accessed Oct 31st 2022.
Feria, Nathalie, and Rosenberg, Daniel. "Mitigating Healthcare Cyber Risk Through Vendor Management", HIT Consultant, October 17th 2022. Accessed Oct 31st 2022.
Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.
Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

Identify and Manage Regulatory and Compliance Risk Impacts on Your Organization preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Author

Frank Sewell

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019