Yesterday I had the good fortune to attend and participate in a Mini-Summit on 3rd party risk and vendor risk management sponsored by Prevalent Networks (see Prevalent Networks at www.prevalent.net) that was held in Jersey City.
I say fortune because there was a lot of experience and knowledge in the room among the 50+ attendees that made the Summit well worth attending. Lot?s of questions, observations, experiences and insights made it worth learning from those who were further ahead than others with managing the risks posed by vendors that handle information or deliver IT services for your organization.
A few interesting findings from the Summit:
- Managing the risks posed to the business from vendors dealing with information or IT services starts in IT, but moves to involve many other functions as organizational procedures mature.
- Get ready for fourth-party risk management: the vendors of your vendors that have been subcontracted to.
- Don?t treat every vendor the same: they are not equal
- Use importance to the business as the yardstick for doubling down on the vendors you actively manage.
- Use financial value and costs-to-comply as yardsticks to determine whether you even bother with managing entire swaths of vendors.
- Large firms can easily have 100+ high-risk vendors that need to actively be managed
- Total vendor counts can easily exceed 500-to-1,000? vendors at large organizations.
- Size, scale, and complexity mean that spreadsheets and ad-hoc tools for vendor risk management programs simply don?t cut it? anymore.
The Good
The people from Shared Assessments provided an update on what they are working on which was enjoyed by many of the attendees. The folks from Veracode provided some outstanding insight into the risks posed by 3rd party application code and how they go about making it possible to more easily, and cost-effectively, manage risks from 3rd-party applications. The people from Symantec provided an introduction to what they are doing in the area of GRC, including vendor risk management. The results of the workshop conducted by IT Policy Compliance showed everyone attending scored in the average (yellow) range. There was no one willing to self-identify as being a laggard (red) and no one will to say they are a leader (green). This was a bit unusual, but a solid indication that more improvement is possible ? and warranted.
The Bad
Unfortunately, the road-traffic in the area was its normal parking-lot self. This prevented another 20 to 30 people who had committed to making it to the Summit. Perhaps another time ? as the event may be scheduled again.
The Ugly
I related a story of a friend of mine who?s being held hostage to the contract-policy-police at a large organization.? This is a situation where vendor risk management questions and procedures are not being implemented. It appears something he?s doing is classified as handling sensitive information, despite the fact that the information is largely unintelligible until it?s transferred to his client. Despite this, the outsourced contract-enforcement firm insist he spend more than three times what the contract value is on new external audits and security controls.
The outsourced contract-firm acting on behalf of his client is NOT allowed to ask intelligent questions, such as: ?Is this a real and relevant business risk to the buyer??, or ?Is what?s spent on mitigating controls exceed the value?? So far it?s been full-steam ahead with demands that make no sense.
This is an example of where intelligent, business-wise vendor risk management becomes especially helpful because an intelligent filter applied at different stages of the process makes it possible to evaluate whether the conditions pose significant business risk or not, whether the cost of controls outweighs the value, whether risk mitigation procedures are warranted, and as conditions change whether prior prescriptive controls need to be relaxed or strengthened.
Having seen this behavior unravel at other organizations, it?s possible my friend?s client will end up where others did: with concentrated supplier risk as the supply-base is whittled down to a few large vendors, with opportunities that simply go away, with higher costs passed along to customers, and with impacts on operating results after customer defect for lower-priced suppliers that are easier to conduct business with.
This is the Ugly side of not doing vendor risk management, or of not doing it right.
Followup
If you are interested in the results of the Summit or are simply interested in finding out about others that may be scheduled, contact the folks at Prevalent Networks.
april fools day pranks ohio state vs kansas daniel von bargen the beach blood diamond 8 bit google maps kids choice awards 2012
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.