SlideShare uma empresa Scribd logo
1 de 16
Baixar para ler offline
HEADQUARTERS
33 Bradford Street
Concord, MA 01742
PHONE: 978-451-7655
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
BUILDING BETTER VENDOR
RISK ASSESSMENTS
INCREASING THE QUALITY & EFFICIENCY
OFYOUR VENDOR RISK PROGRAM
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
1
BUILDING BETTER ASSESSMENTS
This white paper is the fourth in a series about creating an effective vendor risk man-
agement program. Previous installments include:
•	 Part I: Four Keys to Creating a Vendor Risk Management Program that Works
•	 Part II: Identifying Vendor Risk: The Critical First Step in Creating an Effective
Vendor Risk Management Program
•	 Part III: The Vendor Manager’s Guide to Risk Reduction
INTRODUCTION
Creating an enterprise-wide vendor risk management (VRM) program from scratch is
a challenge that daunts many risk management professionals. If you’re lucky, you get
to start with an accurate list of vendors and strong executive sponsorship. More than
likely, however, you will start with an outdated list of vendors and will have to build a
business case for funding the program. Either way, staring at blank pages that have to
become the policies, processes, procedures, and standards for your VRM program can
be overwhelming.
Empowered with the executive sponsorship and the funding to make a go of it, in the
first year of your VRM program you’ll likely:
•	 Inventory and categorize your vendors to understand the risks inherent with
your vendor portfolio
•	 Develop and communicate expected controls standards for your vendors
•	 Develop methods of assessment (commonly questionnaire-based) to assess
vendors’ controls
•	 Assess your critical vendors
•	 Manage the remediation of any issues identified during the assessments
2
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
This can be a lot of work but, with diligence and focus, it’s completely achievable.
After that first year, you should have some knowledge of what worked well with
your process, and what didn’t. At this point you can put your assessment meth-
odology into a continuous improvement cycle.
You will want to reevaluate what you are doing and consider how you can im-
prove the process in order to gain an even better understanding of your vendors
and the risks they might pose to your business. A regular review of your assess-
ment process also provides the opportunity to incorporate any new regulatory
expectations into your vendor assessments.
How do you build better assessments as your VRM program matures? To im-
prove your VRM program, you should evaluate these four elements:
•	 Quality—How did you perform against your objectives during the
previous year? How can you improve the consistency of your program
and other aspects of what you’re already doing? What are the lessons
learned?
•	 Alignment—Is your VRM program aligned with your business and its
regulatory requirements? Have you taken into consideration changes
in your business and new regulatory guidance?
•	 Veracity—Are you testing controls in a way that makes sense and is
efficient? Are you sufficiently testing where the control execution risk
lies? Or, are you burning cycles with ineffective or unnecessary test-
ing?
•	 Efficiency—When assessing the above three areas, it's easy to fall prey
to scope creep. Are you doing what’s required to keep the program
within your resource constraints while maximizing the usefulness of
those resources?
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
3
By addressing these areas, you can develop a more thorough and effective as-
sessment process.
QUALITY: RESOURCE ALLOCATION, EFFECTIVE
COMMUNICATION, REPRODUCIBILITY, AND
THE CASE FOR CENTRALIZED MANAGEMENT
Whether you’ve just finished running your VRM program for the first year or the
fifth, it’s time to look back and reflect on what could have been better. One of
the more difficult things to do, particularly in the first year, is match the scope of
your assessment methodology to your available resources. There are two funda-
mental questions you should ask yourself:
•	 “Were we able to assess all of the vendors we wanted to assess?”
•	 “Were we able to manage the remediation of all of the issues identified
by those assessments?”
If you were too ambitious, your answer to one or both of these questions may
be, “no.” It can be easy to get bogged down as you work to help vendors un-
derstand the initiative, wait for responses, and clarify your questions. Assessing
fewer vendors than intended isn’t really all that bad; it’s a normal growing pain.
But, it does help identify where you might need to be more efficient: can you
clarify your communications with your vendors, can you better train your asses-
sors, should you do fewer site visits, or should you re-visit vendor criticality and
prioritization?
As we discussed in detail in The Vendor Manager’s Guide to Risk Reduction
[download], the real danger can be under-resourcing your remediation manage-
ment. If you don’t work with your vendors to resolve the issues identified during
their assessments, the very investment in those assessments is marginalized.
4
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
You may actually reduce more risk by attempting fewer or smaller assessments
and ensuring that the issues identified are resolved. Remember – your goal is
to reduce risk. Balancing vendor coverage, assessment scope, and remediation
management to resolve the most and highest risk issues is what matters.
Once you’ve looked at the alignment between the scope of your program and
your resources, the next question you should ask yourself is, “Does my assess-
ment methodology effectively address the risks I intend for it to address?” In
other words, do my vendors understand the questions I’m asking AND do their
responses make sense? Take a moment and look at the places where you’ve
asked a question but consistently gotten answers on a different topic. For ex-
ample:
“What wireless security features do you use?”
Without a doubt, the author of this question knows exactly what they’re asking.
But, does the respondent? Is this a question about wireless computer networks
or mobile telephones? Regardless of how carefully you develop your question-
naire, you’ll invariably have a few questions that are ambiguous or confusing.
Paying attention to the responses you receive throughout the year will help you
identify and improve these questions. Getting well-aligned, clean responses to
your questionnaire will improve not only the accuracy of your results but your
efficiency as well.
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
5
Similarly, if you’re rating your vendors or scoring their responses, do those scores make
sense? As you look at the risk ratings assigned to issues identified, do the high risk find-
ings truly pose more risk than the medium risk findings? This may seem inconsequential
but if your goal is to reduce the most risk with the resources you have and if your meth-
odology calls for prioritization based on these scores, then getting this right is critical to
the overall effectiveness of your program.
Once you’re happy with your assessments on an individual basis, the next question to
ask is, “Am I consistent from assessment to assessment?” Inconsistent results can be an
indication that your VRM program needs tighter processes and procedures. In addition,
it can also mean that your assessment team, which will inherently include profession-
als with different backgrounds and levels of experience, may need more orientation or
training on the program. Driving toward consistency is key because it assures a minimum
standard for the assessment work and gives you a baseline for program improvement.
These, in turn, give you the ability to reliably compare and contrast vendors.
VRM programs often begin within existing centers-of-excellence within an organization.
For example, it is common for information security departments to develop third party
information risk assessment methodologies. However, it is not always a natural fit once
the VRM program is fully operationalized. By transferring the responsibility for third-par-
ty risk assessments to a group such as the procurement department or a vendor manage-
ment department, the VRM program can be more tightly aligned with other activities
central to the management of vendor relationships - such as managing service level
agreements (SLAs), insurance and bonding, and invoice accuracy. This type of centraliza-
tion often brings VRM out of disparate business units into a centralized function which,
in turn, reduces overlapping efforts and improves consistency.
You can also use process automation tools to boost the quality of your assessments.
Clear management reports and well-designed workflow systems are essential for ensur-
1. If your VRM program includes scoring models for vendor criticality, inherent risk, and
issue severity, as it should, you’ll want to appropriately validate these models, particularly
when rolling up this information for enterprise-wide reporting.
6
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
ing consistent, reproducible results across assessments. Furthermore, auto-
mated vendor risk management tools can generate the reports necessary for
management to monitor the VRM program, to enable accountability to business
constituents and auditors, and for model risk management activities.1
More
importantly, your VRM solution can give risk managers a clear picture of the
third-party risk to your organization and track open issues.
ALIGNMENT: TAILOR YOUR VENDOR ASSESSMENTS
TO YOUR BUSINESS NEEDS
Business needs can change over time. In a first-year VRM program, the goal
is usually just to get some number of assessments done in order to determine
where you stand with your vendors and find and remove some risk along the
way. These initial assessments tend to fall into one of three groups:
•	 Ad-hoc – where you don’t have formal criteria of any kind
•	 Standards-based – for example basing an information security assess-
ment on ISO 27002
•	 Extended enterprise – where you attempt to compare your vendors to
your own internal standards
None of these approaches is ideal but, of the three, standards-based assess-
ments and the extended enterprise assessments are preferred. From there the
questions you should ask are:
•	 Do the standards I’ve chosen match the needs of my particular busi-
ness?
•	 Which of my internal controls also apply to my vendors?
•	 Does the scope of the assessment capture the regulatory requirements
applicable to my vendors?
•	 Have I addressed the areas of risk unique to my vendor relationships?
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
7
This is, in essence, a requirements review and a gap analysis between those requirements
and your assessment program.
When in doubt, use industry standards as a starting point; they help make sure you don’t
forget the fundamentals. For information security, ISO 27002 with its 114 controls is an
excellent start. Other standards provide equally sound starting points for the industries
and risks they address. If you haven’t already done so, build your assessment question-
naires and methodologies from these materials.
Next, tackle your regulatory obligations. These are the must-dos of your industry so
you should address them up front. Map the questions in your assessment to what your
regulations expect from your vendors. If you’re a financial services firm subject to GLBA,
you’ll want to refer to the FFIEC handbook, OCC guidance, and similar publications. If
you’re in healthcare, you’ll want to refer to the HIPAA Security Standards Matrix.2
Re-
gardless of your particular regulatory burden, the concept is simple.
Make sure you know how your questionnaire and assessment address the regulatory
obligations and, if any regulatory obligations aren’t addressed, extend your assessment
and ask those questions of your vendors too.
It is important to consider the difference between how you should approach assessments
and how you should approach compliance. The assessment is how you collect informa-
tion from your vendors and form opinions about that information. With your assessment
completed, you can evaluate your state of compliance by using the relationship between
your assessment materials and your regulatory requirements as a framework for evaluat-
ing the regulatory implications of your findings. Starting with regulations and going the
other way is impractical because regulations are narrowly scoped and not intended as
frameworks for building security programs or any other kind of program for that matter.
2. Appendix A to Subpart C of Part 164 of the US CFR
8
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
Once your regulatory requirements are addressed, you can use your discretion to
make sure your vendor assessment program meets your particular risk manage-
ment needs. What’s changed about your business that may impact what you
expect from your vendors? Do you have any risks that aren’t addressed by your
regulations-enhanced, standards-based methodology? Are there any hot top-
ics within your organization that you want to make sure you address with your
vendors? If any of this is missing, now is the time to add it. This is not to say that
you want to assess your vendors in the same way that you do your own internal
controls assessment. In fact, much of what you do internally may not be appli-
cable to outside organizations, no matter how critical those organizations may
be to your business. Instead, only borrow from your internal risk management
programs those things that truly apply to your vendors.
After reviewing and incorporating so much content to the scope of your assess-
ment, now is the time to consider which information to cut in order to make your
assessment more concise. If there are any questions in your assessment that
don’t directly relate to a regulatory or business requirement, you should drop
them. They may be good ideas, but if they don’t apply to your vendors or the
work they do for you, answering them only adds time and unnecessary expense.
Now look at what you have left. Do you have the resources to manage such an
assessment? If not, cut some more. Cut the questions that map to low impact
risks. Cut the questions that go deeper into the details than is really required.
If necessary review these decisions with your regulators. What you have left
should meet your business and regulatory needs while focusing your resources
on the areas of highest risk. And, because you’ve conducted a proper require-
ments analysis along the way (and documented the tough decisions you’ve had
to make) you can defend your methodology against critics and make educated
adjustments in the future.
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
9
VERACITY: SAMPLE CONTROLS
THAT AFFECTYOUR CORE BUSINESS
You’ve sent your questionnaire to a vendor and they’ve replied, “Yes, we do these things.”
This sounds good but, how do you know? This is where the sampling of evidence comes
in. If you’re like most organizations, you ask for copies of policies and other things that
are supposed to provide the proof. Policy conveys the intent of management, but it
doesn’t guarantee a vendor is actually following the policy and doing the work. Receiv-
ing policy documents as evidence is certainly one kind of sampling – but it only samples
whether the vendor has a policy. If, instead, you want to know if the vendor actually per-
forms the controls required by those policies, you have to sample evidence of the actual
control performance, for example screen shots showing antivirus software enabled and
running is more convincing than a copy of an antivirus policy. Since it can be prohibitive-
ly expensive to sample all of a vendor's controls, you should sample only those controls
that matter the most to your business.
For example, if you are concerned about data security, you can test small statistical sam-
ples on controls such as system hardening, patching, application security, and antivirus
protection, in order to verify that these actions are really being performed as required by
policy. Correctly testing a small number of key controls provides a much better indication
of managed risk than a comprehensive analysis of a vendor's policies.
Another method to improve veracity is to accept your vendor’s own testing. Before a
vendor solicits your business, you would like it to have its own house in order. You want
to know that a vendor has hired an auditor or assessor to conduct an appropriately
scoped and aligned audit of its own business so that its management team can assert
that the company is operating properly (and controlling its own risk).
10
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
Beyond proof of an engaged management team, where vendors have done an
audit, you may be able to leverage the information in the audit report to accelerate
your vendor assessment. Consider that IT service providers typically have their own
operations assessed by independent auditors, who generate a Service Organization
Controls (SOC) report. SOC reports are specifically designed to help service orga-
nizations—organizations that operate information systems and provide that service
to other entities—build trust and confidence in their service delivery processes and
controls. SOC reports cover core aspects of the vendor’s business, such as poli-
cies, access controls, backups, and change management. Therefore, if you trust the
opinion of the auditor, you don’t need to test those controls directly.
A word of caution: Make sure you understand the scope of the outside assess-
ment you are relying on, as the audit may not align with your needs. There are two
modes of scope: content and assets. In terms of content, ask if the independent
assessment covers your topic of interest. For example, your vendor may present a
clean Sarbanes-Oxley (SOX) audit opinion in which the report includes extensive IT
controls testing. But, because SOX is focused on financial controls rather than on
services provided to clients, you have no guarantee that the same controls apply to
the work being done for you.
Sampling actual control performance is the only way to know the difference be-
tween a vendor’s intent and their actual ability to address risk. However, sampling
is expensive. These expenses can be kept in check by limiting sampling to key
controls in areas where incidents are most likely, by limiting the size of the sample
itself, and by relying on the results of audits and assessments conducted of a ven-
dor by independent third parties that you trust.
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
11
For a vendor to lie when completing a questionnaire is actually rare. For a vendor to
identify a gap they didn’t know they had until you asked them to provide an example in
a screen shot is, unfortunately, all too common. The good news is that sampling finds
these gaps.
EFFICIENCY: DO MORE WITH YOUR RESOURCES	
So far, we’ve discussed optimization and efficiency in terms of:
•	 Prioritizing on high inherent risk vendors;
•	 Balancing resource allocation between assessment and remediation phases;
•	 Using quality and consistency improvements to speed assessments and enable
continuous improvement efforts;
•	 Streamlining assessment scope and content while meeting business and regula-
tory requirements;
•	 Focusing sampling efforts on the riskiest control areas and using effective sam-
pling to identify risk;
•	 And, reusing the work of independent third parties such as SOC audits.
Your organization can continue to drive efficiency by looking for controls where your
vendors, as a group, are consistently successful versus areas where successful risk man-
agement is more challenging. Where your vendors are consistently successful, you may
be able to cut the content from your questionnaire. When Denial of Service attacks first
emerged, a common and successful countermeasure was to tune kernel parameters on
Web servers to accept a larger number of connections and discard them more quickly
when unused. For a time, it was critical to ask Web hosting vendors about this configu-
ration detail. Within a few years, these re-tuned kernel parameters had become the
default setting for operating systems, set directly by their publishers. As a result, this vul-
nerability is now rare. There’s no reason to ask questions about these kernel parameters
12
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
any more. In contrast, it’s likely that your vendors have wildly different practices
around managing mobile devices. Such areas, where views on industry best prac-
tices can themselves be inconsistent, deserve increased focus and discussion.
You can save time and money by concentrating your assessments on these more
troublesome areas.
Deduplication of effort is also a critical technique for assessment program optimi-
zation. It’s as simple to understand as it is to overlook. If you ask the same ques-
tion twice in your questionnaire or have multiple business units using the same
vendor. You may have an opportunity to optimize.
As mentioned above, automation tools can help you standardize your assessments
and be much more efficient in your processes. Many companies use spreadsheets
to maintain their vendor questionnaires, which work fine up to a point. However, if
you need to assess more than a handful of vendors, a purpose-built VRM solution
will increase your efficiency and effectiveness. Not only will software speed tasks
such as communicating with vendors and securely exchanging information but
also, software-based vendor risk management solutions will help:
•	 Consistently identify high risk vendors
•	 Accelerate reporting to management and regulators
•	 Provide for easy tracking of program progress and issues remediation
•	 Streamline portfolio-wide vendor risk reporting
•	 And facilitate the analysis needed for continuous improvement efforts
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
13
CONCLUSION
What makes a vendor assessment “better?” We can look at the crispness of a question-
naire, our ability to assess more vendors faster, or the degree of satisfaction of our regu-
lators. But, the real answer is, a vendor assessment program is “better” any time we can
identify and eliminate more risk. That our budgets and other resources are finite adds
efficiency as a necessary variable to the equation.
Improving the quality and consistency of your assessment materials and methodology
helps improve your VRM program by increasing the accuracy of the information you
collect about your vendors, by balancing resources between assessment and remedia-
tion cycles, and by providing the basis for continuous improvement exercises. Improving
alignment with business and regulatory requirements helps ensure that the assessments
have the appropriate scope of content and are risk-aligned to your available resources.
Improving veracity by sampling control execution helps identify easily resolved risks that
might otherwise go unnoticed. And, throughout all of these opportunities to improve
a VRM program we overlay efficiency. Not necessarily the efficiency of assessing more
vendors or the efficiency of testing more controls but the efficiency of resolving more
risk.
14
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com
PROCESSUNITY & VENDOR RISK MANAGEMENT
ProcessUnity is a leading provider of cloud-based applications for risk management
and service delivery management. The company’s software-as-a-service (SaaS)
platform gives organizations the control to assess, measure, and mitigate risk and
to ensure the optimal performance of key business processes.
ProcessUnity’s cloud-based Vendor Risk Management solution helps companies ef-
fectively identify and mitigate risks posed by third-party service providers in critical
risk areas such as information security, service delivery, supply chain processing,
financial processing, reputation, and regulatory compliance. ProcessUnity provides
organizations with clear visibility into the business impact of third-party risk via
direct links from vendors and their services to specific business elements such
as processes and lines of business. Powerful assessment tools enable evaluation
of vendor performance based on customer-defined criteria through automated,
questionnaire-based self-assessments as well as through detailed audits of vendor
controls. Flexible reports and dashboards enable ongoing monitoring of vendor rat-
ings, assessment progress, and status of remediation activity. Learn more at www.
processunity.com.
ABOUT PROCESS UNITY
ProcessUnity is a leading provider of cloud-based applications for risk management
and service delivery management. The company’s software as a service (SaaS)
platform gives organizations the control to assess, measure, and mitigate risk and to
ensure the optimal performance of key business processes. For public companies and
regulated industries, ProcessUnity Risk Suite delivers effective governance and
control, vendor risk mitigation, and regulatory compliance. For benefit plan
administrators and other financial service firms, ProcessUnity Service Delivery Risk
Management (SDRM) controls complex product offerings and strengthens client
service experience. ProcessUnity is used by the world’s leading financial service firms
and commercial enterprises. The company is headquartered outside Boston,
Massachusetts and is funded by Rose Park Advisors and other private investors.
HEADQUARTERS
33 Bradford Street
Concord, MA 01742
PHONE: 978-451-7655
© 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com

Mais conteúdo relacionado

Mais procurados

Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008Praxiom
 
A Users Guide To N Abler Grading Best Practices
A Users Guide To N Abler Grading Best PracticesA Users Guide To N Abler Grading Best Practices
A Users Guide To N Abler Grading Best Practicespauljmcgill
 
8 trends of successful crm(customer relationship management)2
8 trends of successful crm(customer relationship management)28 trends of successful crm(customer relationship management)2
8 trends of successful crm(customer relationship management)2CRM Vision
 
Resume_Kadambi Vijaisimh_April_2016
Resume_Kadambi Vijaisimh_April_2016Resume_Kadambi Vijaisimh_April_2016
Resume_Kadambi Vijaisimh_April_2016Kadambi Vijaisimh
 
Crm Hicss 2003 Presentation
Crm Hicss 2003 PresentationCrm Hicss 2003 Presentation
Crm Hicss 2003 PresentationRam Srivastava
 
Rogers customer experience consulting report
Rogers customer experience consulting reportRogers customer experience consulting report
Rogers customer experience consulting reportAbhishek Sharma
 
2012 Survey of Higher Education CRM Deployment Practices
2012 Survey of Higher Education CRM Deployment Practices2012 Survey of Higher Education CRM Deployment Practices
2012 Survey of Higher Education CRM Deployment PracticesJohn Copeland
 
Planning overview2
Planning overview2Planning overview2
Planning overview2Hoda Ghatas
 
21 Best Practices for Effective Call Quality Monitoring
21 Best Practices for Effective Call Quality Monitoring21 Best Practices for Effective Call Quality Monitoring
21 Best Practices for Effective Call Quality MonitoringTentacle Cloud
 
Process Transformation: Your Questions Answered
Process Transformation: Your Questions AnsweredProcess Transformation: Your Questions Answered
Process Transformation: Your Questions AnsweredDATAMARK
 

Mais procurados (11)

Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008
 
A Users Guide To N Abler Grading Best Practices
A Users Guide To N Abler Grading Best PracticesA Users Guide To N Abler Grading Best Practices
A Users Guide To N Abler Grading Best Practices
 
8 trends of successful crm(customer relationship management)2
8 trends of successful crm(customer relationship management)28 trends of successful crm(customer relationship management)2
8 trends of successful crm(customer relationship management)2
 
Model Validation
Model Validation Model Validation
Model Validation
 
Resume_Kadambi Vijaisimh_April_2016
Resume_Kadambi Vijaisimh_April_2016Resume_Kadambi Vijaisimh_April_2016
Resume_Kadambi Vijaisimh_April_2016
 
Crm Hicss 2003 Presentation
Crm Hicss 2003 PresentationCrm Hicss 2003 Presentation
Crm Hicss 2003 Presentation
 
Rogers customer experience consulting report
Rogers customer experience consulting reportRogers customer experience consulting report
Rogers customer experience consulting report
 
2012 Survey of Higher Education CRM Deployment Practices
2012 Survey of Higher Education CRM Deployment Practices2012 Survey of Higher Education CRM Deployment Practices
2012 Survey of Higher Education CRM Deployment Practices
 
Planning overview2
Planning overview2Planning overview2
Planning overview2
 
21 Best Practices for Effective Call Quality Monitoring
21 Best Practices for Effective Call Quality Monitoring21 Best Practices for Effective Call Quality Monitoring
21 Best Practices for Effective Call Quality Monitoring
 
Process Transformation: Your Questions Answered
Process Transformation: Your Questions AnsweredProcess Transformation: Your Questions Answered
Process Transformation: Your Questions Answered
 

Destaque

Key Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management ProgramsKey Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management ProgramsColleen Beck-Domanico
 
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...Poyner Spruill LLP, Attorneys
 
Power of partnerships
Power of partnershipsPower of partnerships
Power of partnershipsbobdonaldson
 
VENDOR PROCESS DEVELOPMENT
VENDOR PROCESS DEVELOPMENTVENDOR PROCESS DEVELOPMENT
VENDOR PROCESS DEVELOPMENTSWAPAN KUMAR ROY
 
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsUnderstanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsGoutama Bachtiar
 
Vendor Management and Contract Negotiations
Vendor Management and Contract NegotiationsVendor Management and Contract Negotiations
Vendor Management and Contract NegotiationsButlerRubin
 
Vendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto SeriesVendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto SeriesContinuity Control
 
Vendor Selection Process
Vendor Selection ProcessVendor Selection Process
Vendor Selection Processgrinehart
 
Ariba Coverage of Risk Management within the Supplier Lifecycle
Ariba Coverage of Risk Management within the Supplier LifecycleAriba Coverage of Risk Management within the Supplier Lifecycle
Ariba Coverage of Risk Management within the Supplier LifecycleSean Thomson
 
Vendor development
Vendor developmentVendor development
Vendor developmentPadmadhar PD
 
Supplier selection
Supplier selectionSupplier selection
Supplier selectionjoecobe
 
Vendor Management Systems Best Practices
Vendor Management Systems Best PracticesVendor Management Systems Best Practices
Vendor Management Systems Best Practicesjeffmonaghan
 
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...Optimus BT
 
IT Strategic Vendor Management
IT Strategic Vendor ManagementIT Strategic Vendor Management
IT Strategic Vendor ManagementBill Whetstone
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and RoadmapAndrew Byers
 

Destaque (20)

Key Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management ProgramsKey Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management Programs
 
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
 
Power of partnerships
Power of partnershipsPower of partnerships
Power of partnerships
 
VENDOR PROCESS DEVELOPMENT
VENDOR PROCESS DEVELOPMENTVENDOR PROCESS DEVELOPMENT
VENDOR PROCESS DEVELOPMENT
 
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsUnderstanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor Relationships
 
SCM Smart Spending
SCM Smart SpendingSCM Smart Spending
SCM Smart Spending
 
Vendor Management and Contract Negotiations
Vendor Management and Contract NegotiationsVendor Management and Contract Negotiations
Vendor Management and Contract Negotiations
 
Vendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto SeriesVendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto Series
 
Vendor Selection Process
Vendor Selection ProcessVendor Selection Process
Vendor Selection Process
 
Ariba Coverage of Risk Management within the Supplier Lifecycle
Ariba Coverage of Risk Management within the Supplier LifecycleAriba Coverage of Risk Management within the Supplier Lifecycle
Ariba Coverage of Risk Management within the Supplier Lifecycle
 
Vendor development
Vendor developmentVendor development
Vendor development
 
Vendor rating
Vendor ratingVendor rating
Vendor rating
 
Supplier selection
Supplier selectionSupplier selection
Supplier selection
 
Vendor rating system
Vendor rating systemVendor rating system
Vendor rating system
 
Vendor Management Systems Best Practices
Vendor Management Systems Best PracticesVendor Management Systems Best Practices
Vendor Management Systems Best Practices
 
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...
 
Vendor Management
Vendor ManagementVendor Management
Vendor Management
 
IT Strategic Vendor Management
IT Strategic Vendor ManagementIT Strategic Vendor Management
IT Strategic Vendor Management
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and Roadmap
 
Vendor Management
Vendor ManagementVendor Management
Vendor Management
 

Semelhante a Effective Assessment of Vendors Risk Management

Benchmarking Basic.pdf
Benchmarking Basic.pdfBenchmarking Basic.pdf
Benchmarking Basic.pdfR Borres
 
Risk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBookRisk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBookGlenn Peake
 
Six steps to revenue boosting lead generation programs
Six steps to revenue boosting lead generation programsSix steps to revenue boosting lead generation programs
Six steps to revenue boosting lead generation programsJaslynn joan
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessmentDrMohammedFarid
 
Edc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinEdc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinjowen_evansdata
 
Driving Value with Marketing Automation How-To Guide
Driving Value with Marketing Automation How-To GuideDriving Value with Marketing Automation How-To Guide
Driving Value with Marketing Automation How-To GuideDemand Metric
 
managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guideMarie Peters
 
Why Your Customer HealthScore is Useless and How to Overcome It
Why Your Customer HealthScore is Useless and How to Overcome ItWhy Your Customer HealthScore is Useless and How to Overcome It
Why Your Customer HealthScore is Useless and How to Overcome ItBoaz S. Maor
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5justinklooster
 
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...Compliance Consultant
 
Agency Management Playbook
Agency Management PlaybookAgency Management Playbook
Agency Management PlaybookDemand Metric
 
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docx
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docxBasic Guide to Program Evaluation (Including Outcomes Evaluation).docx
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docxJASS44
 
Functions of performance appraisal
Functions of performance appraisalFunctions of performance appraisal
Functions of performance appraisalbushmiller440
 
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docx
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docxApply Strategic Plan EvaluationRefer back to the Week 2 compa.docx
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docxjewisonantone
 
5RecruitingKPIs_020816
5RecruitingKPIs_0208165RecruitingKPIs_020816
5RecruitingKPIs_020816Lauren Ryan
 
Principles of effective software quality management
Principles of effective software quality managementPrinciples of effective software quality management
Principles of effective software quality managementNeeraj Tripathi
 
Building The Case For Supplier Relationship Management
Building The Case For Supplier Relationship ManagementBuilding The Case For Supplier Relationship Management
Building The Case For Supplier Relationship ManagementSource One Management Services
 
VereQuest | Guide to Outsourcing your Contact Center's Quality Monitoring
VereQuest | Guide to Outsourcing your Contact Center's Quality MonitoringVereQuest | Guide to Outsourcing your Contact Center's Quality Monitoring
VereQuest | Guide to Outsourcing your Contact Center's Quality MonitoringSharon Oatway
 
Risk Management Services.pdf
Risk Management Services.pdfRisk Management Services.pdf
Risk Management Services.pdfhasan752746
 

Semelhante a Effective Assessment of Vendors Risk Management (20)

Benchmarking Basic.pdf
Benchmarking Basic.pdfBenchmarking Basic.pdf
Benchmarking Basic.pdf
 
Risk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBookRisk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBook
 
Six steps to revenue boosting lead generation programs
Six steps to revenue boosting lead generation programsSix steps to revenue boosting lead generation programs
Six steps to revenue boosting lead generation programs
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessment
 
Jon alperin 2013
Jon alperin 2013Jon alperin 2013
Jon alperin 2013
 
Edc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinEdc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperin
 
Driving Value with Marketing Automation How-To Guide
Driving Value with Marketing Automation How-To GuideDriving Value with Marketing Automation How-To Guide
Driving Value with Marketing Automation How-To Guide
 
managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guide
 
Why Your Customer HealthScore is Useless and How to Overcome It
Why Your Customer HealthScore is Useless and How to Overcome ItWhy Your Customer HealthScore is Useless and How to Overcome It
Why Your Customer HealthScore is Useless and How to Overcome It
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
 
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...
Setting Conduct Risk Appetite. Assessing risk and identifying cultural driver...
 
Agency Management Playbook
Agency Management PlaybookAgency Management Playbook
Agency Management Playbook
 
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docx
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docxBasic Guide to Program Evaluation (Including Outcomes Evaluation).docx
Basic Guide to Program Evaluation (Including Outcomes Evaluation).docx
 
Functions of performance appraisal
Functions of performance appraisalFunctions of performance appraisal
Functions of performance appraisal
 
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docx
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docxApply Strategic Plan EvaluationRefer back to the Week 2 compa.docx
Apply Strategic Plan EvaluationRefer back to the Week 2 compa.docx
 
5RecruitingKPIs_020816
5RecruitingKPIs_0208165RecruitingKPIs_020816
5RecruitingKPIs_020816
 
Principles of effective software quality management
Principles of effective software quality managementPrinciples of effective software quality management
Principles of effective software quality management
 
Building The Case For Supplier Relationship Management
Building The Case For Supplier Relationship ManagementBuilding The Case For Supplier Relationship Management
Building The Case For Supplier Relationship Management
 
VereQuest | Guide to Outsourcing your Contact Center's Quality Monitoring
VereQuest | Guide to Outsourcing your Contact Center's Quality MonitoringVereQuest | Guide to Outsourcing your Contact Center's Quality Monitoring
VereQuest | Guide to Outsourcing your Contact Center's Quality Monitoring
 
Risk Management Services.pdf
Risk Management Services.pdfRisk Management Services.pdf
Risk Management Services.pdf
 

Último

YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.JasonViviers2
 
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?sonikadigital1
 
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...PrithaVashisht1
 
Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxMapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxVenkatasubramani13
 
MEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .pptMEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .pptaigil2
 
ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics InfrastructureChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructuresonikadigital1
 
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionCI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionajayrajaganeshkayala
 
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product IntroductionVirtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introductionsanjaymuralee1
 
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerThe Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerPavel Šabatka
 
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Guido X Jansen
 
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024Becky Burwell
 
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityStrategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityAggregage
 
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxTINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxDwiAyuSitiHartinah
 
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Vladislav Solodkiy
 
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best PracticesDataArchiva
 
AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)Data & Analytics Magazin
 
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationMaster's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationGiorgio Carbone
 

Último (17)

YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.
 
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?
 
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...
 
Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxMapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptx
 
MEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .pptMEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .ppt
 
ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics InfrastructureChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructure
 
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionCI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual intervention
 
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product IntroductionVirtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introduction
 
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerThe Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayer
 
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
 
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024
 
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityStrategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
 
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxTINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
 
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023
 
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices
 
AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)
 
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationMaster's Thesis - Data Science - Presentation
Master's Thesis - Data Science - Presentation
 

Effective Assessment of Vendors Risk Management

  • 1. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com BUILDING BETTER VENDOR RISK ASSESSMENTS INCREASING THE QUALITY & EFFICIENCY OFYOUR VENDOR RISK PROGRAM
  • 2. © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com 1 BUILDING BETTER ASSESSMENTS This white paper is the fourth in a series about creating an effective vendor risk man- agement program. Previous installments include: • Part I: Four Keys to Creating a Vendor Risk Management Program that Works • Part II: Identifying Vendor Risk: The Critical First Step in Creating an Effective Vendor Risk Management Program • Part III: The Vendor Manager’s Guide to Risk Reduction INTRODUCTION Creating an enterprise-wide vendor risk management (VRM) program from scratch is a challenge that daunts many risk management professionals. If you’re lucky, you get to start with an accurate list of vendors and strong executive sponsorship. More than likely, however, you will start with an outdated list of vendors and will have to build a business case for funding the program. Either way, staring at blank pages that have to become the policies, processes, procedures, and standards for your VRM program can be overwhelming. Empowered with the executive sponsorship and the funding to make a go of it, in the first year of your VRM program you’ll likely: • Inventory and categorize your vendors to understand the risks inherent with your vendor portfolio • Develop and communicate expected controls standards for your vendors • Develop methods of assessment (commonly questionnaire-based) to assess vendors’ controls • Assess your critical vendors • Manage the remediation of any issues identified during the assessments
  • 3. 2 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com This can be a lot of work but, with diligence and focus, it’s completely achievable. After that first year, you should have some knowledge of what worked well with your process, and what didn’t. At this point you can put your assessment meth- odology into a continuous improvement cycle. You will want to reevaluate what you are doing and consider how you can im- prove the process in order to gain an even better understanding of your vendors and the risks they might pose to your business. A regular review of your assess- ment process also provides the opportunity to incorporate any new regulatory expectations into your vendor assessments. How do you build better assessments as your VRM program matures? To im- prove your VRM program, you should evaluate these four elements: • Quality—How did you perform against your objectives during the previous year? How can you improve the consistency of your program and other aspects of what you’re already doing? What are the lessons learned? • Alignment—Is your VRM program aligned with your business and its regulatory requirements? Have you taken into consideration changes in your business and new regulatory guidance? • Veracity—Are you testing controls in a way that makes sense and is efficient? Are you sufficiently testing where the control execution risk lies? Or, are you burning cycles with ineffective or unnecessary test- ing? • Efficiency—When assessing the above three areas, it's easy to fall prey to scope creep. Are you doing what’s required to keep the program within your resource constraints while maximizing the usefulness of those resources?
  • 4. © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com 3 By addressing these areas, you can develop a more thorough and effective as- sessment process. QUALITY: RESOURCE ALLOCATION, EFFECTIVE COMMUNICATION, REPRODUCIBILITY, AND THE CASE FOR CENTRALIZED MANAGEMENT Whether you’ve just finished running your VRM program for the first year or the fifth, it’s time to look back and reflect on what could have been better. One of the more difficult things to do, particularly in the first year, is match the scope of your assessment methodology to your available resources. There are two funda- mental questions you should ask yourself: • “Were we able to assess all of the vendors we wanted to assess?” • “Were we able to manage the remediation of all of the issues identified by those assessments?” If you were too ambitious, your answer to one or both of these questions may be, “no.” It can be easy to get bogged down as you work to help vendors un- derstand the initiative, wait for responses, and clarify your questions. Assessing fewer vendors than intended isn’t really all that bad; it’s a normal growing pain. But, it does help identify where you might need to be more efficient: can you clarify your communications with your vendors, can you better train your asses- sors, should you do fewer site visits, or should you re-visit vendor criticality and prioritization? As we discussed in detail in The Vendor Manager’s Guide to Risk Reduction [download], the real danger can be under-resourcing your remediation manage- ment. If you don’t work with your vendors to resolve the issues identified during their assessments, the very investment in those assessments is marginalized.
  • 5. 4 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com You may actually reduce more risk by attempting fewer or smaller assessments and ensuring that the issues identified are resolved. Remember – your goal is to reduce risk. Balancing vendor coverage, assessment scope, and remediation management to resolve the most and highest risk issues is what matters. Once you’ve looked at the alignment between the scope of your program and your resources, the next question you should ask yourself is, “Does my assess- ment methodology effectively address the risks I intend for it to address?” In other words, do my vendors understand the questions I’m asking AND do their responses make sense? Take a moment and look at the places where you’ve asked a question but consistently gotten answers on a different topic. For ex- ample: “What wireless security features do you use?” Without a doubt, the author of this question knows exactly what they’re asking. But, does the respondent? Is this a question about wireless computer networks or mobile telephones? Regardless of how carefully you develop your question- naire, you’ll invariably have a few questions that are ambiguous or confusing. Paying attention to the responses you receive throughout the year will help you identify and improve these questions. Getting well-aligned, clean responses to your questionnaire will improve not only the accuracy of your results but your efficiency as well.
  • 6. © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com 5 Similarly, if you’re rating your vendors or scoring their responses, do those scores make sense? As you look at the risk ratings assigned to issues identified, do the high risk find- ings truly pose more risk than the medium risk findings? This may seem inconsequential but if your goal is to reduce the most risk with the resources you have and if your meth- odology calls for prioritization based on these scores, then getting this right is critical to the overall effectiveness of your program. Once you’re happy with your assessments on an individual basis, the next question to ask is, “Am I consistent from assessment to assessment?” Inconsistent results can be an indication that your VRM program needs tighter processes and procedures. In addition, it can also mean that your assessment team, which will inherently include profession- als with different backgrounds and levels of experience, may need more orientation or training on the program. Driving toward consistency is key because it assures a minimum standard for the assessment work and gives you a baseline for program improvement. These, in turn, give you the ability to reliably compare and contrast vendors. VRM programs often begin within existing centers-of-excellence within an organization. For example, it is common for information security departments to develop third party information risk assessment methodologies. However, it is not always a natural fit once the VRM program is fully operationalized. By transferring the responsibility for third-par- ty risk assessments to a group such as the procurement department or a vendor manage- ment department, the VRM program can be more tightly aligned with other activities central to the management of vendor relationships - such as managing service level agreements (SLAs), insurance and bonding, and invoice accuracy. This type of centraliza- tion often brings VRM out of disparate business units into a centralized function which, in turn, reduces overlapping efforts and improves consistency. You can also use process automation tools to boost the quality of your assessments. Clear management reports and well-designed workflow systems are essential for ensur- 1. If your VRM program includes scoring models for vendor criticality, inherent risk, and issue severity, as it should, you’ll want to appropriately validate these models, particularly when rolling up this information for enterprise-wide reporting.
  • 7. 6 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com ing consistent, reproducible results across assessments. Furthermore, auto- mated vendor risk management tools can generate the reports necessary for management to monitor the VRM program, to enable accountability to business constituents and auditors, and for model risk management activities.1 More importantly, your VRM solution can give risk managers a clear picture of the third-party risk to your organization and track open issues. ALIGNMENT: TAILOR YOUR VENDOR ASSESSMENTS TO YOUR BUSINESS NEEDS Business needs can change over time. In a first-year VRM program, the goal is usually just to get some number of assessments done in order to determine where you stand with your vendors and find and remove some risk along the way. These initial assessments tend to fall into one of three groups: • Ad-hoc – where you don’t have formal criteria of any kind • Standards-based – for example basing an information security assess- ment on ISO 27002 • Extended enterprise – where you attempt to compare your vendors to your own internal standards None of these approaches is ideal but, of the three, standards-based assess- ments and the extended enterprise assessments are preferred. From there the questions you should ask are: • Do the standards I’ve chosen match the needs of my particular busi- ness? • Which of my internal controls also apply to my vendors? • Does the scope of the assessment capture the regulatory requirements applicable to my vendors? • Have I addressed the areas of risk unique to my vendor relationships?
  • 8. © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com 7 This is, in essence, a requirements review and a gap analysis between those requirements and your assessment program. When in doubt, use industry standards as a starting point; they help make sure you don’t forget the fundamentals. For information security, ISO 27002 with its 114 controls is an excellent start. Other standards provide equally sound starting points for the industries and risks they address. If you haven’t already done so, build your assessment question- naires and methodologies from these materials. Next, tackle your regulatory obligations. These are the must-dos of your industry so you should address them up front. Map the questions in your assessment to what your regulations expect from your vendors. If you’re a financial services firm subject to GLBA, you’ll want to refer to the FFIEC handbook, OCC guidance, and similar publications. If you’re in healthcare, you’ll want to refer to the HIPAA Security Standards Matrix.2 Re- gardless of your particular regulatory burden, the concept is simple. Make sure you know how your questionnaire and assessment address the regulatory obligations and, if any regulatory obligations aren’t addressed, extend your assessment and ask those questions of your vendors too. It is important to consider the difference between how you should approach assessments and how you should approach compliance. The assessment is how you collect informa- tion from your vendors and form opinions about that information. With your assessment completed, you can evaluate your state of compliance by using the relationship between your assessment materials and your regulatory requirements as a framework for evaluat- ing the regulatory implications of your findings. Starting with regulations and going the other way is impractical because regulations are narrowly scoped and not intended as frameworks for building security programs or any other kind of program for that matter. 2. Appendix A to Subpart C of Part 164 of the US CFR
  • 9. 8 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com Once your regulatory requirements are addressed, you can use your discretion to make sure your vendor assessment program meets your particular risk manage- ment needs. What’s changed about your business that may impact what you expect from your vendors? Do you have any risks that aren’t addressed by your regulations-enhanced, standards-based methodology? Are there any hot top- ics within your organization that you want to make sure you address with your vendors? If any of this is missing, now is the time to add it. This is not to say that you want to assess your vendors in the same way that you do your own internal controls assessment. In fact, much of what you do internally may not be appli- cable to outside organizations, no matter how critical those organizations may be to your business. Instead, only borrow from your internal risk management programs those things that truly apply to your vendors. After reviewing and incorporating so much content to the scope of your assess- ment, now is the time to consider which information to cut in order to make your assessment more concise. If there are any questions in your assessment that don’t directly relate to a regulatory or business requirement, you should drop them. They may be good ideas, but if they don’t apply to your vendors or the work they do for you, answering them only adds time and unnecessary expense. Now look at what you have left. Do you have the resources to manage such an assessment? If not, cut some more. Cut the questions that map to low impact risks. Cut the questions that go deeper into the details than is really required. If necessary review these decisions with your regulators. What you have left should meet your business and regulatory needs while focusing your resources on the areas of highest risk. And, because you’ve conducted a proper require- ments analysis along the way (and documented the tough decisions you’ve had to make) you can defend your methodology against critics and make educated adjustments in the future.
  • 10. © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com 9 VERACITY: SAMPLE CONTROLS THAT AFFECTYOUR CORE BUSINESS You’ve sent your questionnaire to a vendor and they’ve replied, “Yes, we do these things.” This sounds good but, how do you know? This is where the sampling of evidence comes in. If you’re like most organizations, you ask for copies of policies and other things that are supposed to provide the proof. Policy conveys the intent of management, but it doesn’t guarantee a vendor is actually following the policy and doing the work. Receiv- ing policy documents as evidence is certainly one kind of sampling – but it only samples whether the vendor has a policy. If, instead, you want to know if the vendor actually per- forms the controls required by those policies, you have to sample evidence of the actual control performance, for example screen shots showing antivirus software enabled and running is more convincing than a copy of an antivirus policy. Since it can be prohibitive- ly expensive to sample all of a vendor's controls, you should sample only those controls that matter the most to your business. For example, if you are concerned about data security, you can test small statistical sam- ples on controls such as system hardening, patching, application security, and antivirus protection, in order to verify that these actions are really being performed as required by policy. Correctly testing a small number of key controls provides a much better indication of managed risk than a comprehensive analysis of a vendor's policies. Another method to improve veracity is to accept your vendor’s own testing. Before a vendor solicits your business, you would like it to have its own house in order. You want to know that a vendor has hired an auditor or assessor to conduct an appropriately scoped and aligned audit of its own business so that its management team can assert that the company is operating properly (and controlling its own risk).
  • 11. 10 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com Beyond proof of an engaged management team, where vendors have done an audit, you may be able to leverage the information in the audit report to accelerate your vendor assessment. Consider that IT service providers typically have their own operations assessed by independent auditors, who generate a Service Organization Controls (SOC) report. SOC reports are specifically designed to help service orga- nizations—organizations that operate information systems and provide that service to other entities—build trust and confidence in their service delivery processes and controls. SOC reports cover core aspects of the vendor’s business, such as poli- cies, access controls, backups, and change management. Therefore, if you trust the opinion of the auditor, you don’t need to test those controls directly. A word of caution: Make sure you understand the scope of the outside assess- ment you are relying on, as the audit may not align with your needs. There are two modes of scope: content and assets. In terms of content, ask if the independent assessment covers your topic of interest. For example, your vendor may present a clean Sarbanes-Oxley (SOX) audit opinion in which the report includes extensive IT controls testing. But, because SOX is focused on financial controls rather than on services provided to clients, you have no guarantee that the same controls apply to the work being done for you. Sampling actual control performance is the only way to know the difference be- tween a vendor’s intent and their actual ability to address risk. However, sampling is expensive. These expenses can be kept in check by limiting sampling to key controls in areas where incidents are most likely, by limiting the size of the sample itself, and by relying on the results of audits and assessments conducted of a ven- dor by independent third parties that you trust.
  • 12. © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com 11 For a vendor to lie when completing a questionnaire is actually rare. For a vendor to identify a gap they didn’t know they had until you asked them to provide an example in a screen shot is, unfortunately, all too common. The good news is that sampling finds these gaps. EFFICIENCY: DO MORE WITH YOUR RESOURCES So far, we’ve discussed optimization and efficiency in terms of: • Prioritizing on high inherent risk vendors; • Balancing resource allocation between assessment and remediation phases; • Using quality and consistency improvements to speed assessments and enable continuous improvement efforts; • Streamlining assessment scope and content while meeting business and regula- tory requirements; • Focusing sampling efforts on the riskiest control areas and using effective sam- pling to identify risk; • And, reusing the work of independent third parties such as SOC audits. Your organization can continue to drive efficiency by looking for controls where your vendors, as a group, are consistently successful versus areas where successful risk man- agement is more challenging. Where your vendors are consistently successful, you may be able to cut the content from your questionnaire. When Denial of Service attacks first emerged, a common and successful countermeasure was to tune kernel parameters on Web servers to accept a larger number of connections and discard them more quickly when unused. For a time, it was critical to ask Web hosting vendors about this configu- ration detail. Within a few years, these re-tuned kernel parameters had become the default setting for operating systems, set directly by their publishers. As a result, this vul- nerability is now rare. There’s no reason to ask questions about these kernel parameters
  • 13. 12 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com any more. In contrast, it’s likely that your vendors have wildly different practices around managing mobile devices. Such areas, where views on industry best prac- tices can themselves be inconsistent, deserve increased focus and discussion. You can save time and money by concentrating your assessments on these more troublesome areas. Deduplication of effort is also a critical technique for assessment program optimi- zation. It’s as simple to understand as it is to overlook. If you ask the same ques- tion twice in your questionnaire or have multiple business units using the same vendor. You may have an opportunity to optimize. As mentioned above, automation tools can help you standardize your assessments and be much more efficient in your processes. Many companies use spreadsheets to maintain their vendor questionnaires, which work fine up to a point. However, if you need to assess more than a handful of vendors, a purpose-built VRM solution will increase your efficiency and effectiveness. Not only will software speed tasks such as communicating with vendors and securely exchanging information but also, software-based vendor risk management solutions will help: • Consistently identify high risk vendors • Accelerate reporting to management and regulators • Provide for easy tracking of program progress and issues remediation • Streamline portfolio-wide vendor risk reporting • And facilitate the analysis needed for continuous improvement efforts
  • 14. © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com 13 CONCLUSION What makes a vendor assessment “better?” We can look at the crispness of a question- naire, our ability to assess more vendors faster, or the degree of satisfaction of our regu- lators. But, the real answer is, a vendor assessment program is “better” any time we can identify and eliminate more risk. That our budgets and other resources are finite adds efficiency as a necessary variable to the equation. Improving the quality and consistency of your assessment materials and methodology helps improve your VRM program by increasing the accuracy of the information you collect about your vendors, by balancing resources between assessment and remedia- tion cycles, and by providing the basis for continuous improvement exercises. Improving alignment with business and regulatory requirements helps ensure that the assessments have the appropriate scope of content and are risk-aligned to your available resources. Improving veracity by sampling control execution helps identify easily resolved risks that might otherwise go unnoticed. And, throughout all of these opportunities to improve a VRM program we overlay efficiency. Not necessarily the efficiency of assessing more vendors or the efficiency of testing more controls but the efficiency of resolving more risk.
  • 15. 14 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com PROCESSUNITY & VENDOR RISK MANAGEMENT ProcessUnity is a leading provider of cloud-based applications for risk management and service delivery management. The company’s software-as-a-service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s cloud-based Vendor Risk Management solution helps companies ef- fectively identify and mitigate risks posed by third-party service providers in critical risk areas such as information security, service delivery, supply chain processing, financial processing, reputation, and regulatory compliance. ProcessUnity provides organizations with clear visibility into the business impact of third-party risk via direct links from vendors and their services to specific business elements such as processes and lines of business. Powerful assessment tools enable evaluation of vendor performance based on customer-defined criteria through automated, questionnaire-based self-assessments as well as through detailed audits of vendor controls. Flexible reports and dashboards enable ongoing monitoring of vendor rat- ings, assessment progress, and status of remediation activity. Learn more at www. processunity.com.
  • 16. ABOUT PROCESS UNITY ProcessUnity is a leading provider of cloud-based applications for risk management and service delivery management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. For public companies and regulated industries, ProcessUnity Risk Suite delivers effective governance and control, vendor risk mitigation, and regulatory compliance. For benefit plan administrators and other financial service firms, ProcessUnity Service Delivery Risk Management (SDRM) controls complex product offerings and strengthens client service experience. ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. The company is headquartered outside Boston, Massachusetts and is funded by Rose Park Advisors and other private investors. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 © 2014 ProcessUnity, Inc. All Rights Reserved | www.processunity.com