January 23, 2021
Three Challenges For Vendor Risk Professionals
I recently watched the classic Japanese animation film ‘Spirited Away’. It was a magnificent movie, full of visual enchantment and fantastical characters (I would highly recommend it for all ages). In my opinion, one of the best characters was the numerously-armed boiler room manager, Kamaji. Kamaji worked at a furious pace with the help of his hundreds of minions to keep the boiler working, while at the same time lending small, yet meaningful help to the protagonist of the story, Chihiro.
I thought about how professionals in Vendor Risk/Third Party Risk are similar to Kamaji. They work at a furious pace to review vendors and need many (digital) arms to keep up with the different parts of the assessment process.
I’ve spoken to about a hundred vendor risk professionals over the past 6 months and I would say the challenges they face fall into 1 of 3 categories.
- Gathering Data From The Vendor
- Analyzing Data From The Vendor
- Moving Their Enterprise To Act
Gathering Data From The Vendor
Vendor risk teams have a heck of a time tracking down vendors and gathering the data that their organization needs to make informed decisions. Here’s a small and very incomplete list of scenarios that I’ve recently heard about:
- Vendor provides data but takes 6+ weeks to do so on average.
- Vendor does not provide data and we don’t even have a Sales Rep to contact.
- Vendor points to a website where you can easily download only their SOC 3 report.
- Vendor provides data but actually filled in information related to a somewhat related partner company.
If you are a VRM/TPRM professional, nothing on this list would remotely surprise you and you could most likely independently create your own list of 50 examples. There has been progress made on the newest of tech vendors that make this progress easier, but we still have a long way to go.
Analyzing Data From The Vendor
If you thought gathering data was a challenge, let’s take a quick look through Door #1. Spreadsheets with hundreds of questions, BCP policies, DR plans, SDLC, Physical Security, Cloud Security, DNS Providers, Penetration test results, 300 page SOC reports, CCPA privacy implications, audited financials – there is a ton of stuff to review! I’m not even going to mention 4th party vendors (oops, I did) or the challenge of assessing a fully remote organization that happens to make up 5 of your 20 most critical vendors.
To say it’s a monumental task is an understatement. Organizations have developed strategies such as risk based tiering but the number of vendors now relied upon to deliver critical services is staggering. Multiply this number by the amount of data there is and you have a type of storm that I don’t feel comfortable typing in a professional setting.
There are vendors, including Teepee (www.teepeesafe.com), that are trying to help organizations with conducting vendor due diligence at a reasonable cost.
Moving Their Enterprise To Act
You’ve gathered data and you’ve completed an extensive vendor analysis. The hard part is over, right? Not yet. As a Vendor Risk Manager, you don’t ‘own’ the risk, you present the risk to the person making the purchase, aka ‘the business owner’. The business owner is incentivized by speed and agility, not risk. At the same time, the last thing the vendor wants to do is contractually agree to changes that they know will cost a lot of money or take a lot of time (or both).
For new vendors, the business owner and vendor might be more willing to make changes. What happens when you have an entrenched vendor that has been used at your company for multiple years? Too often there won’t be enough organizational support to require necessary changes. A successful vendor risk management program will have buy-in from the very top of the organization to successfully mitigate identified risks
Do you agree with these challenges? What other challenges are you dealing with in your VRM/TPRM program?