Three for Thirds:
Vendor Risk Management Challenges
Cybersecurity consulting leaders point to third-party risk management as a crucial
area that clients need help addressing. As companies share more data with more
third parties (e.g., cloud software firms, cloud storage providers and supply chain
partners), they must maintain effective methods of governing, managing and monitoring these relationships from a cyber-risk perspective.
Mature vendor risk management capabilities frequently exist within companies
with boards of directors that are highly engaged with third party risk issues, according to studies conducted by Protiviti and The Shared Assessments Program, a membership organization devoted to fostering third party risk assurance. However, the
latest version of this ongoing research indicates that only 32 percent of boards are
highly engaged with vendor risk management issues.
Besides board engagement, Catherine Allen, chairman and CEO of The Santa Fe
Group (which operates the Shared Assessments Program), describes three other
third-party risk management challenges that exist across most industries:
1. Keeping track: Companies, especially larger enterprises, have difficulty monitoring vendors because: A) they have so many external partners; B) numerous different business and groups within the company manage these relationships; C) vendor
information is kept in a tangle of different information systems.
2. Clarifying responsibilities: In some cases, responsibility for vendor risk
management resides with the procurement function; in others, the CIO, chief
information security officer or chief risk officer owns the capability. Given that
third party risk management is a relatively immature discipline in many industries, standards for where the capability is located in the organization have yet to
emerge. Allen advocates placing a third-party risk management group within the
risk function because the discipline should be treated as a pivotal component of
enterprise risk management.
3. Managing competing priorities: Different buyers of third-party services
have different priorities—including some that take precedence over risk management considerations. Procurement functions tend to look for the lowest-cost
option, for example. Other buyers within the business may focus on access to
innovation and speed (i.e., how quickly a prospective vendor can get the relationship up and running). When these types of priorities drive the vendor-selection
process, assessments of vendors’ data-protection capabilities, processes and
controls tend to receive short shrift.