Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management

Approach vendor risk impact assessments from all perspectives.

Analyst Perspective

Organizations must comprehensively understand the impacts vendors may cause through different potential actions.

The risks from the vendor market have become more prevalent as the technologies and organizational strategies shift to a global direction. With this shift in risk comes a necessary perspective change to align with the greater likelihood of an incident occurring from vendors' (or one of their downstream support vendor's) negative actions.

Organizational leadership must become more aware of the increasing risks that engaging vendors impose. To do so, they need to make informed decisions, which can only be provided by engaging expert resources in their organizations to compile a comprehensive look at potential risk impacts.

Frank Sewell

Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Organizations must evolve their risk assessments to be more adaptive to respond to changes in the global market. Ongoing monitoring and continual assessment of vendors’ risks is crucial to avoiding negative impacts.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.`

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

62%

of IT professionals are more concerned about being a victim of ransomware than they were a year ago.

Info-Tech Tech Trends Survey 2022

82%

of Microsoft non-essential employees shifted to working from home in 2020, joining the 18% already remote.

Info-Tech Tech Trends Survey 2022

89%

of organizations invested in web conferencing technology to facilitate collaboration.

Info-Tech Tech Trends Survey 2022

Looking at Risk in a New Light:

the 6 Pillars of Vendor Risk Management

Vendor Risk

• Financial

• Strategic

• Operational

• Security

• Reputational

• Regulatory

• Organizations must review their risk appetite and tolerance levels, considering their complete landscape.
• Changing regulations, acquisitions, and events that affect global supply chains are current realities, not unlikely scenarios.
• Prepare your vendor risk management for success using due diligence and scenario- based “What If” discussions to bring all the relevant parties to the table and educate your whole organization on risk factors.

Strategic risks on a global scale

Odds are at least one of these is currently affecting your strategic plans

• Vendor Acquisitions
• Global Pandemic
• Global Shortages
• Gas Prices
• Poor Vendor Performance
• Travel Bans
• War
• Natural Disasters
• Supply Chain Disruptions
• Security Incidents

Make sure you have the right people at the table to identify and plan to manage impacts.

Assess internal and external operational risk impacts

Two sides of the same coin

Internal

• Poorly vetted supplemental staff
• Bad system configurations
• Lack of relevant skills
• Poor vendor performance
• Failure to follow established processes
• Weak contractual accountability
• Unsupportable or end-of-life system components

External

• Cyberattacks
• Supply Chain Issues
• Geo-Political Disruptions
• Vendor Acquisitions
• N-Party Non-Compliance
• Vendor Fraud

Operational risk is the risk of losses caused by flawed or failed processes, policies, systems, or events that disrupt business operations.

Identify and manage security risk impacts on your organization

Due diligence will enable successful outcomes

• Poor vendor performance
• Vendor acquisition
• Supply chain disruptions and shortages
• N-party risk
• Third-party risk

What your vendor associations say about you

Regulatory compliance

Consider implementing vendor management initiatives and practices in your organization to help gain compliance with your expanding vendor landscape.

Your organizational risks may be monitored but are your n-party vendors?

Review your expectations with your vendors and hold them accountable

Regulatory entities are looking beyond your organization’s internal compliance these days. Instead, they are more and more diving into your third-party and downstream relationships, particularly as awareness of downstream breaches increases globally.

• Are you assessing your vendors regularly?
• Are you validating those assessments?
• Do your vendors have a map of their downstream support vendors?
• Do they have the mechanisms to hold those downstream vendors accountable to your standards?

Identify and manage risks

Regulatory

Regulatory agencies are putting more enforcement around ESG practices across the globe. As a result, organizations will need to monitor the changing regulations and validate that their vendors and n-party support vendors are adhering to these regulations or face penalties for non-compliance.

Security-Data protection

Data protection remains an issue. Organizations should ensure that the data their vendors obtain remains protected throughout the vendor’s lifecycle, including post-termination. Otherwise, they could be monitoring for a data breach in perpetuity.

Mergers and acquisitions

More prominent vendors continuously buy smaller companies to control the market in the IT industry. Organizations should put protections in their contracts to ensure that an IT vendor’s acquisition does not put them in a relationship with someone that could cause them an issue.

Identify and manage risks

Poor vendor performance

Consider the impact of a vendor that fails to perform midway through the implementation. Organizations need to be able to manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after bad performance.

Supply chain disruptions and global shortages

Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate forecasting of product and ongoing business continuity planning into your strategic plans to adapt as events unfold.

Poorly configured systems

Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors is crucial to ensure they are meeting expectations in this regard.

What to look for

Identify potential risk impacts

• Is there a record of complaints against the vendor from their employees or customers?
• Is the vendor financially sound, with the resources to support your needs?
• Has the vendor been cited for regulatory compliance issues in the past?
• Does the vendor have a comprehensive list of their n-party vendor partners?
  • Are they willing to accept appropriate contractual protections regarding them?
• Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
• Does the vendor operate in regions known for instability?
• Is the vendor willing to make concessions on contractual protections, or are they only offering one-sided agreements with as-is warranties?

Prepare your vendor risk management for success

Due diligence will enable successful outcomes.

1. Obtain top-level buy-in; it is critical to success.
2. Build enterprise risk management (ERM) through incremental improvement.
3. Focus initial efforts on the “big wins” to prove the process works.
4. Use existing resources.
5. Build on any risk management activities that already exist in the organization.
6. Socialize ERM throughout the organization to gain additional buy-in.
7. Normalize the process long term with ongoing updates and continuing education for the organization.

(Adapted from COSO)

How to assess third-party risk

1. Review organizational risks

   Understand the organizations risks to prepare for the “What If” game exercise.

2. Identify and understand potential risks

   Play the “What If” game with the right people at the table.

3. Create a risk profile packet for leadership

   Pull all the information together in a presentation document.

4. Validate the risks

   Work with leadership to ensure that the proposed risks are in line with their thoughts.

5. Plan to manage the risks

   Lower the overall risk potential by putting mitigations in place.

6. Communicate the plan

   It is important not only to have a plan but also to socialize it in the organization for awareness.

7. Enact the plan

   Once the plan is finalized and socialized, put it in place with continued monitoring for success.

Adapted from Harvard Law School Forum on Corporate Governance

Insight summary

Risk impacts often come from unexpected places and have significant consequences.

Knowing who your vendors are using for their support and supply chain could be crucial in eliminating the risk of non-compliance for your organization.

Having a plan to identify and validate the regulatory compliance of your vendors is a must for any organization to avoid penalties.

Insight 1

Organizations’ strategic plans need to be adaptable to avoid vendors’ negative actions causing an expedited shift in priorities.

For example, Philips’ recall of ventilators impacted its products and the availability of its competitors’ products as demand overwhelmed the market.

Insight 2

Organizations often fail to understand how n-party vendors could place them in non-compliance.

Even if you know your complete third-party vendor landscape, you may not be aware of the downstream vendors in play. Ensure that you get visibility into this space as well, and hold your direct vendors accountable for the actions of their vendors.

Insight 3

Organizations need to know where their data lives and ensure it is protected.

Make sure you know which vendors are accessing/storing your data, where they are keeping it, and that you can get it back and have the vendors destroy it when the relationship is over. Without adequate protections throughout the lifecycle of the vendor, you could be monitoring for breaches in perpetuity.

Insight summary

Assessing financial impacts is an ongoing, educative, and collaborative multidisciplinary process that vendor management initiatives are uniquely designed to coordinate and manage for organizations.

Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those managing the vendors.

Insight 4

Organizations need to learn how to assess the likelihood of potential risks in the rapidly changing online environments and recognize how their partnerships and subcontractors’ actions can affect their brand.

For example, do you understand how a simple news article raises your profile for short-term and long-term adverse events?

Insight 5

Organizations fail to plan for vendor acquisitions appropriately.

Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans for replacing critical vendors purchased in such a manner?

Insight 6

Vendors are becoming more and more crucial to organizations’ overall operations, and most organizations have a poor understanding of the potential impacts they represent.

Is your vendor solvent? Do they have enough staff to accommodate your needs? Has their long-term planning been affected by changes in the market? Are they unique in their space?

Identifying vendor risk

Who should be included in the discussion?

• While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
• Getting input from operational experts at your organization will enhance your business's long-term potential for success.
• Involving those who directly manage vendors and understand the market will aid operational experts in determining the forward path for relationships with your current vendors and identifying emerging potential strategic partners.
• Make sure security, risk, and compliance are all at the table. These departments all look at risk from different angles for the business and give valuable insight collectively.
• Organizations have a wealth of experience in their marketing departments that can help identify real-world scenarios of negative actions.

See the blueprint Build an IT Risk Management Program

Review your risk management plans for new risks on a regular basis.

Keep in mind Risk =
Likelihood x Impact
(R=L*I).

Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent.

Managing vendor risk impacts

How could your vendors impact your organization?

• Review vendors’ downstream connections to understand thoroughly who you are in business with
• Institute continuous vendor lifecycle management
• Develop IT risk governance and change control
• Introduce continual risk assessment to monitor the relevant vendor markets
• Monitor and schedule contract renewals and new service/module negotiations
• Perform business alignment meetings to reassess relationships
• Ensure strategic alignment in contracts
• Review vendors’ business continuity plans and disaster recovery testing
• Re-evaluate corporate policies frequently
• Monitor your company’s and associated vendors’ online presence
• Be adaptable and allow for innovations that arise from the current needs
  • Capture lessons learned from prior incidents to improve over time, and adjust your plans accordingly

Organizations must review their risk appetite and tolerance levels, considering their complete landscape.

Changing regulations, acquisitions, new security issues, and events that affect global supply chains are current realities, not unlikely scenarios.

Ongoing Improvement

Incorporating lessons learned.

• Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
• When that happens, follow your incident response plans and act accordingly.
• An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
• Use the lessons learned document to devise, incorporate, and enact a better risk management process.

Sometimes disasters occur despite our best plans to manage them.

When this happens, it is important to document the lessons learned and improve our plans going forward.

The "what if" game

1-3 hours

Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

1. Break into smaller groups (if too small, continue as a single group).
2. Use the Comprehensive Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

Download the Comprehensive Risk Impact Tool

High risk example from tool

Note: Even though a few items are “scored” they have not been added to the overall weight, signaling that the company has noted but does not necessarily hold them against the vendor.

How to mitigate:

• Contractually insist that the vendor have a third-party security audit performed annually with the stipulation that they will not denigrate below your acceptable standards.
• At renewal negotiate better contractual terms and protections for your organization.

Low risk example from tool

Summary

Seek to understand all potential risk impacts to better prepare your organization for success.

• Organizations need to understand and map out their entire vendor landscape.
• Understand where all your data lives and how you can control it throughout the vendor lifecycle.
• Organizations need to be realistic about the likelihood of potential risks in the changing global world.
• Those organizations that consistently follow their established risk-assessment and due-diligence processes are better positioned to avoid penalties.
• Understand how your vendors prioritize your organization in their business continuity processes.
• Bring the right people to the table to outline potential risks in the market and your organization.
• Socialize the third-party vendor risk management process throughout the organization to heighten awareness and enable employees to help protect the organization.
• Organizations need to learn how to assess the likelihood of potential risks in the changing global markets and recognize how their partnerships and subcontracts affect their brand.
• Incorporate lessons learned from prior incidents into your risk management process to build better plans for future issues.

Organizations must evolve their risk assessments to be more meaningful to respond to global changes in the market.

Organizations should increase the resources dedicated to monitoring the market as regulatory agencies continue to hold them more and more accountable.

Bibliography

Olaganathan, Rajee. “Impact of COVID-19 on airline industry and strategic plan for its recovery with special reference to data analytics technology.” Global Journal of Engineering and Technology Advances, vol 7, no 1, 2021, pp. 033-046.

Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.

Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

Weak Cybersecurity is taking a toll on Small Businesses (tripwire.com)

SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)

Shared Assessments Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties“

“Cybersecurity only the tip of the iceberg for third-party risk management”. Help Net Security, April 21, 2021. Accessed: 2022-07-29.

“Third-Party Risk Management (TPRM) Managed Services”. Deloitte, 2022. Accessed: 2022-07-29.

“The Future of TPRM: Third Party Risk Management Predictions for 2022”. OneTrust, December 20th2021. Accessed 2022-07-29.

“Third Party Vendor definition”. Law Insider, Accessed 2022-07-29.

“Third Party Risk”. AWAKE Security, Accessed 2022-07-29.

Glidden, Donna. "Don't Underestimate the Need to Protect Your Brand in Publicity Clauses", Info-Tech Research Group, June 2022.

Greenaway, Jordan. "Managing Reputation Risk: A start-to-finish guide", Transmission Private, July 2022. Accessed June 2022.

Jagiello, Robert D, and Thomas T Hills. “Bad News Has Wings: Dread Risk Mediates Social Amplification in Risk Communication. ”Risk analysis : an official publication of the Society for Risk Analysis vol. 38,10 (2018): 2193-2207.doi:10.1111/risa.13117

Kenton, Will. "Brand Recognition", Investopedia, August 2021. Accessed June 2022. Lischer, Brian. "How Much Does it Cost to Rebrand Your Company?", Ignyte, October 2017. Accessed June 2022.

"Powerful Examples of How to Respond to Negative Reviews", Review Trackers, February 2022. Accessed June 2022.

"The CEO Reputation Premium: Gaining Advantage in the Engagement Era", Weber Shadwick, March 2015. Accessed on June 2022.

"Valuation of Trademarks: Everything You Need to Know",UpCounsel, 2022. Accessed June 2022.

Related Info-Tech Research

Identify and Manage Financial Risk Impacts on Your Organization

• Vendor management practices educate organizations on potential financial impacts that vendors may incur and suggest systems to help manage them.
• Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Manage Reputational Risk Impacts on Your Organization

• Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
• Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

Identify and Manage Strategic Risk Impacts on Your Organization

• Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
• Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

Regulatory guidance and industry standards

• International Organization for Standardization (ISO)
• FOREIGN CORRUPT PRACTICES ACT (FCPA)
• Sarbanes–Oxley Act (SOX)
• National Institute of Standards & Technology (NIST)
• Control Objectives for Information and Related Technologies (COBIT)
• EU General Data Protection Regulation 2016/679 (“GDPR”);
• UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (UKGDPR)
• Swiss Federal Act on Data Protection(Swiss FDPA) – coming September 1, 2023
• IR35 (UK Off-Payroll compliance)
Technology Code of Practice (UK)
• Modern Slavery Act 2015 (UK)
• Defense Federal Acquisition Regulation Supplement (DFARS)
• Cybersecurity Maturity Model Certification (CMMC)
• Payment Card Industry Data Security Standard (PCI DSS)
• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act (HITECH)