Intro and Background
In today’s dynamic business and technology environment, most companies rely on services provided by third-party vendors to support a variety of functions. Not only does the use of outside vendors bring cost savings and efficiency in operational processes, but also an opportunity for subject matter expertise which can result in sustained growth for a company. With that said, acquiring services from outside vendors involves a multitude of risks related to privacy and compliance, in addition to risks similar to those that arise when these functions are performed internally. Some of the associated risks include the following: a) confidentiality of information, b) regulatory concerns, and c) threats to security, availability, and integrity of systems and resources.
During the Target data breach in 2013, hackers stole a reported 40 million credit card numbers in one of the biggest data breaches in history. The initial intrusion into Target’s systems was traced back to network credentials that were stolen from a third-party vendor – a heating, ventilation, and air conditioning (HVAC) subcontractor that worked at a number of locations at Target and other top retailers. It is still unclear why Target would have given external network access to an HVAC servicer; however, one thing is for certain – companies are now spending and investing large amounts in vendor risk management to avoid being the victim of a similar breach. As such, it is vital to implement a comprehensive vendor risk management program and ensure that proper due diligence, contract considerations, and performance review monitoring are in place to better manage the risks associated with using outside vendors.
The concept of vendor risk management is not a “one and done” exercise, but one that begins prior to the formal relationship with vetting and selection of a third-party vendor and extends to after the relationship ends considering any post-termination rights of data and other related information. While imperative to use a dedicated risk management team, it is also important to maintain involvement from other areas of a company such as legal, compliance, and senior management. Using a holistic approach for the vendor risk management program will better align its focus areas with a company’s overall strategic initiatives and risk appetite. Also, the risk management processes used in the program should be commensurate with the level of risk and complexity for each third-party relationship. For instance, more oversight should be performed for third-party relationships that involve critical activities – significant financial functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., IT, HR).
A vendor risk management program can be tailored to fit the structure and needs of a company based on size and industry dynamics; however, it should at least in some form contain the two primary components of 1) due diligence/risk assessment and 2) ongoing monitoring. See below for details related to each component.
1. Due Diligence/Risk Assessment
This component is probably the most crucial, as it identifies risk profiles for third-party vendors and thus determines if the business relationship ultimately makes sense from a cost/benefit perspective. For a starting point, perform a risk assessment using both qualitative and quantitative methods to obtain an understanding of the risks associated with third-party vendors. The risk assessment can include a combination of items such as a standardized information security questionnaire, on-site interviews with key stakeholders, and review of security documentation (e.g., policies, procedures). Following the risk assessment, assign a risk level classification for each third-party vendor based on defined thresholds – low, medium, and high. Lastly, develop a contract that clearly defines expectations and responsibilities of a third-party vendor to ensure the contract’s enforceability, limit the company’s liability, and mitigate disputes about performance.
2. Ongoing Monitoring
The initial risk level classification during the due diligence process will typically determine the degree of ongoing monitoring for each third-party vendor within the program. Management should assign dedicated staff with the necessary expertise and experience to oversee and monitor the third-party vendors commensurate with the level of risk and complexity of the relationship. The ongoing monitoring process provides the ability to further assess critical areas of risk such as financial stability, IT security, and incident management. As both the level and types of risks may change over the lifetime of third-party relationships, a company should ensure that its ongoing monitoring process adapts accordingly. This monitoring may result in changes to the frequency and types of required reports from each third-party vendor, including service level agreement performance reports, audit reports, and control testing results.
While the initial effort of developing and implementing a vendor risk management program may require a lot of time and resources for a company, the results will provide a breadth of growth opportunities from both a financial and operational perspective. Having a streamlined, efficient approach for identifying and monitoring third-party vendor risks enables a company to focus on other strategic initiatives for its long-term outlook.
To learn more or inquire about how Clearview Group can help your organization, please reach out to:
- Scott Freinberg, Director, Risk Advisory at: email@example.com or 410-415-9705
- Kris Pratte, Director, Risk Advisory at: firstname.lastname@example.org or 410-415-9747