The experts spend a lot of time describing how organization should be doing Vendor Risk Management (VRM) but they tend to overlook a critical factor – mainly, who should be doing VRM within organizations. The push for information security VRM is relatively new, and as a result, responsible parties are ill-defined with the role of Vendor Risk Manager not formalized in many organizations. The mix of personnel overseeing VRM programs is truly varied, ranging from security analysts, IT directors, compliance departments, CISOs, etc.
It’s a mistake to think that a single person or a team of people should be solely responsible for VRM. This approach is neither reasonable nor particularly helpful. Instead, a logical distribution of responsibilities should reflect who has ownership of certain key information about the vendor. Through the VRM process – inventory, classify, assessment, remediation – different roles should step forward to propel the process forward.
We’ll start with a role that is not actively involved in evaluation vendors. Rather, they provide the framework that allows for other players to complete their responsibilities.
A VRM program can be stymied without the buy-in and support of the upper management. The initiative needs to be backed by a policy that gives the Risk Manager authority to 1) set out internal protocol for onboarding new vendors and evaluating current vendors and 2) terminate vendors who do not comply or do not meet the acceptable risk criteria. Business requirements will always push back against VRM practices, but executive support can enforce consequences for non-compliance. Executive leadership also has motivation for doing so, as executives will have to answer to customers and/or the board if an adverse event happens as a result of poor VRM.
Risk Manager is the person or team of people who oversees the organization’s VRM program. They are given oversight over vendor risk because they have expertise that allows them to make judgement calls on what constitutes an acceptable amount of vendor risk. They should also have the authority to take steps to mitigate risk. Over time, they need to curate the vendor population, looking to maximize the opportunity vendors represent, while minimizing the risk they introduce. Risk Managers need to have a high-level view that they can easily communicate to senior-level management. Their time and expertise must be allocated smartly.
The undeniable truth is that VRM requires a lot of information gathering. The best bet for accurate and up-to-date information, is to make use of Relationship Owners. During the inventory stage, each vendor should be assigned to an internal person who has knowledge of the vendor’s scope of service. By default, the Relationship Owner is the person who engaged the vendor’s services or the person who approves the invoice. Relationship Owners are important because they can supply basics about the vendor that would otherwise have to be gathered by the Risk Manager. This can include clerical information (industry, services, address) as well as knowledge of the access level the vendor has to certain types of information.
Relying on a Relationship Owner to annually update this information keeps the vendor relationship in focus over the passage of time. This periodic information capture tamps down on out-of-control spreadsheets that would otherwise require massive manual updates. Additionally, it forces employees across the organization to take literal “ownership” for the vendors they work with. Information security should never be the sole purview of the Risk Management team as it is the whole organization that will be hurt and held responsible in the case of an adverse event.
While not an internal VRM player, vendors are worth mentioning here because so often Risk Managers act apologetically in asking vendors to participate in their own evaluation. Larger organizations do tend to be better at this than smaller ones. The role of the vendor is to complete the assessment sent to them as promptly as is reasonable. If the vendor is determined to have high risk potential, then they need to undergo assessment to determine if they are protecting the information entrusted to them. Asking for them to answer an assessment should be treated like any run-of-the-mill business task such as filling out an NDA, signing a contract, etc.
So far, we’ve only reviewed roles that have an active part in evaluating vendors. A VRM tool is worth mentioning as it can greatly alleviate the workload of the Risk Manager.
There is no way to avoid adopting some sort of organizing structure when conducting VRM. For this reason, it’s worth investing in a tool that will remove manual aspects and ensure scalability over time. Look for a tool that can play the gopher role, facilitating communications, sending to-dos and automatic reminders, and tracking progress. Even better, some tools process submitted responses and produce a risk score based on built-in logic. The work put in to learn the tool’s logic or develop the scoring yourself, is an investment that will return a hundredfold. Having a standardized risk score eliminates the need for Risk Managers to review assessment responses and other collected documentation. In addition, the risk score can be used to make comparison and measure growth over time.
Below is a list of actions that a good VRM tool should be able to handle:
- Keep dynamic inventory
- Send tasks and automatic reminders
- Facilitate all communications
- Prohibit vendors from submitting partial answers
- Use systemically applied scoring and logic
- Keep audit and logs
- Store all documents and results
- Offer dashboard and reporting capabilities
Information security VRM is ramping up in intensity and one way to get a handle on it is to take the time to divvy up the responsibilities to the right person. Not only is information more accurate when gathered from the source, but it results in the organization overall having more awareness of the importance of vendor risk. This awareness should extend from the relationship owners who engage vendors daily to the executive-level leadership. With everyone aligned towards the same goal, Risk Managers are both empowered and better equipped to meet their VRM objectives.
If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!