The experts spend a lot of time describing how an organization should be doing Vendor Risk Management (VRM) but they tend to overlook a critical factor – mainly, who should be doing VRM within organizations. The push for information security VRM is relatively new, and as a result, responsible parties are ill-defined with the role of Vendor Risk Manager not formalized in many organizations. The mix of personnel overseeing VRM programs is truly varied, ranging from security analysts, IT directors, compliance departments, CISOs, etc.
It’s a mistake to think that a single person or a team of people should be solely responsible for VRM. This approach is neither reasonable nor particularly helpful. Instead, a logical distribution of risk management responsibilities should reflect who has ownership of certain key information about the vendor. Through the VRM process – inventory, classify, assessment, remediation – different risk management roles should step forward to propel the process forward.
We’llstart with a role that is not actively involved in evaluation vendors. Rather,they provide the framework that allows for other players to complete theirresponsibilities.
EXECUTIVE LEADERSHIP
A VRM program can be stymied without the buy-in and support of the upper management. The initiative needs to be backed by a policy that gives the Supplier Risk Manager authority to:
- set out an internal protocol for onboarding new vendors and evaluating current vendors;
- terminate vendors who do not comply or do not meet the acceptable risk criteria. Business requirements will always push back against VRM practices, but executive support can enforce consequences for non-compliance.
Executive leadership also has motivation for doing so, as executives will have to answer to customers and/or the board if an adverse event happens as a result of poor VRM.
What does a vendor risk manager do?
Risk Manager is the person or team of people who oversees the organization’s VRM program. They are given oversight over vendor risk because they have the expertise that allows them to make judgment calls on what constitutes an acceptable amount of vendor risk. They should also have the authority to take steps to mitigate risk. Over time, they need to curate the vendor population, looking to maximize the opportunity vendors represent, while minimizing the risk they introduce. Risk Managers need to have a high-level view that they can easily communicate to senior-level management. Their time and expertise must be allocated smartly.
Who should take the role of relationship owner?
The undeniable truth is that VRM requires a lot of information gathering. The best bet for accurate and up-to-date information is to make use of Relationship Owners. During the inventory stage, each vendor should be assigned to an internal person who has knowledge of the vendor’s scope of service. By default, the Relationship Owner is the person who engaged the vendor’s services or the person who approves the invoice. Relationship Owners are important because they can supply basics about the vendor that would otherwise have to be gathered by the Risk Manager. This can include clerical information (industry, services, address) as well as knowledge of the access level the vendor has to certain types of information.
Relying on a Relationship Owner to annually update this information keeps the vendor relationship in focus over the passage of time. This periodic information capture tamps down on out-of-control spreadsheets that would otherwise require massive manual updates. Additionally, it forces employees across the organization to take literal “ownership” for the vendors they work with. Information security should never be the sole purview of the Risk Management team as it is the whole organization that will be hurt and held responsible in the case of an adverse event.
VENDOR CONTACT
Whilenot an internal VRM player, vendors are worth mentioning here because so oftenRisk Managers act apologetically in asking vendors to participate in their ownevaluation. Larger organizations do tend to be better at this than smallerones. The role of the vendor is to complete the assessment sent to them aspromptly as is reasonable. If the vendor is determined to have high risk potential,then they need to undergo assessment to determine if they are protecting theinformation entrusted to them. Asking for them to answer an assessment shouldbe treated like any run-of-the-mill business task such as filling out an NDA,signing a contract, etc.
So far,we’ve only reviewed roles that have an active part in evaluating vendors. A VRMtool is worth mentioning as it can greatly alleviate the workload of the RiskManager.
TOOL
There isno way to avoid adopting some sort of organizing structure when conducting VRM.For this reason, it’s worth investing in a tool that will remove manual aspectsand ensure scalability over time. Look for a tool that can play the gopherrole, facilitating communications, sending to-dos and automatic reminders, andtracking progress. Even better, some tools process submitted responses andproduce a risk score based on built-in logic. The work put in to learn thetool’s logic or develop the scoring yourself, is an investment that will returna hundredfold. Having a standardized risk score eliminates the need for RiskManagers to review assessment responses and other collected documentation. Inaddition, the risk score can be used to make comparison and measure growth overtime.
Below isa list of actions that a good VRM tool should be able to handle:
- Keepdynamic inventory
- Sendtasks and automatic reminders
- Facilitateall communications
- Prohibitvendors from submitting partial answers
- Usesystemically applied scoring and logic
- Keepaudit and logs
- Storeall documents and results
- Offerdashboard and reporting capabilities
Information security VRM is ramping up in intensity and one way to get a handle on it is to take the time to divvy up the vendor management responsibilities to the right person. Not only is information more accurate when gathered from the source, but it results in the organization overall having more awareness of the importance of vendor risk. This awareness should extend from the relationship owners who engage vendors daily to the executive-level leadership. With everyone aligned towards the same goal, Risk Managers are both empowered and better equipped to meet their VRM objectives.
If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!
Estimate your score or book free demo today
Estimator | Get a Demo