Obtain the data you need to make the most informed decisions by accessing our extensive portfolio of information, analytics, and expertise. Sign in to the product or service center of your choice.
With over half of overall enterprise risks coming from a vendor
portfolio, it's no wonder that vendor risk management is entering
the spotlight in corporate board rooms.
With data breaches, ransomware attacks and supply chain
disruptions now the norm, there is an increased interest in finding
those high-risk vendors in the portfolio quickly and accurately. By
risk-ranking your portfolio, you can focus scarce resources on the
vendors that have access to your sensitive data, support critical
business services or are more likely to cause reputational
risk.
The traditional approach to risk assessment
The experts will recommend that you compile a list of all
enterprise vendors, identify the vendor managers across the
enterprise and have them perform inherent risk assessments for the
vendor services provided. That assessment will involve applying a
risk ranking based on your risk policy and using that ranking to
determine a risk assessment and set ongoing monitoring criteria
according to your risk appetite.
It sounds like a good approach, but unfortunately, more often
than not, this strategy doesn't work. The process can either take
too long, give you a false sense of security or point you in the
wrong direction. A typical portfolio distribution may classify more
than 70% of vendors as low risk. But how confident are you that the
right vendors are included in that 70%?
Why traditional methods don't work
To understand the challenge of assessing vendor risk and
identifying low-risk vendors using traditional methods, let's
examine the typical process step by step.
Let's start with the first step: assembling the vendor list. It
sounds straightforward, but in practice, where do you actually go
to get the list? Accounts Payable is a great place to start, but
you'll soon discover all kinds of missing vendors, such as software
contracts that were in place before Source2Pay was implemented or
indirect business arrangements coordinated through fourth-party
relationships via resellers.
Once you track all those missing vendor contacts and add them to
your vendor list, the next challenge is to identify all the
contacts within the enterprise who are responsible for each vendor
service. Each point of contact needs to understand and take
responsibility for appropriately managing vendor relationships and
applying inherent risk assessment to evaluate how their particular
service is being used.
In practice, these points of contacts—if you're able to find
the right ones—are already busy with the day-to-day
requirements of the job and unlikely to welcome the request to
accurately fill out yet another burdensome questionnaire.
These are just a few of the potential pitfalls that can reduce
the effectiveness of the process. Gathering accurate and complete
information in a timely way requires a culture change and the
establishment of a strong central function and a robust TPRM
platform. That takes considerable time and significant
funding—a combination that's hard to get support for at the
leadership level. As a result, the directive is often: "Just get it
done faster and cheaper," which results in low-risk vendor lists
that are of subpar quality and full of misclassifications and false
negatives.
Even if you manage to accurately classify the low-risk vendors
in your portfolio, it's often impractical to assess these vendors
across the key dimensions of financial, regulatory, information
security and business continuity risk. Most TPRM programs struggle
to assess vendors in higher-risk tiers, and as a result, the
re-assessment of low-risk vendors continues to get pushed back year
over year. Given the combination of inaccuracies in the list and
the lack of resources required to assess the entire vendor
portfolio, a significant systemic risk is introduced into the
overall supply chain across many industries.
For many of those industries, it's a regulatory requirement to
ensure that all vendor engagements are assessed using a risk-based
approach—not just those that are high risk. The sheer volume of
vendors to be assessed and monitored in a typical vendor portfolio,
coupled with the large disparity between the level of risk each
vendor represents, can result in a significant weakness in the risk
posture. Failure to appropriately assess and monitor the risk for
these vendors that often have access to your sensitive data,
support your critical business service, and talk to your customers
can easily result in a situation where your firm ends up on the
front page of the Wall Street Journal—not a fun experience.
A better way to assess vendor risk
Unfortunately, there are no shortcuts when it comes to setting
up an effective vendor risk management program and correctly
aligning vendor lists according to regulatory requirements and
corporate risk appetite. To achieve the goal, TPRM leaders need to
communicate clearly and honestly with leadership to ensure they
understand what it takes to lift the risk posture of the vendor
portfolio.
That said, there are emerging ways to conduct a vendor risk
portfolio assessment that can improve on the traditional approach
by accelerating the delivery, improving the quality of the outcome
and providing a more holistic view of vendor risk. The new approach
can quickly and cost-effectively add numerous risk dimensions to
every vendor, highlight potential areas of concern and provide a
solid risk assessment approach for vendors that qualify as low
risk.
While there is no substitute for reviewing the inherent risk of
each vendor engagement individually, a great starting point is to
understand risk dimensions across the following data points:
Financial health ratings according to multiple financial health
rating providers
Outside-in cyber security ratings and potential weaknesses
across information found in the public-facing security perimeter or
on the dark web
The relative likelihood of a data breach according to
back-tested statistical models that use publicly available
information
Fourth parties that may also be high risk
Location risk across key dimensions of political, operational
or environmental risk
Negative news that may point to important gaps in risk
posture
Once an initial determination is made based on an overall
aggregated review and risk hot spots are determined, the next step
is to develop a deeper, fit-for-purpose assessment for those
vendors that are confirmed to be a higher level of risk and require
further review.
Finally, be aware that point-in-time control assessments are no
longer sufficient, and need to be supplemented by continuous
monitoring across many of the points outlined below to deliver a
significant uplift to the enterprise risk posture.
How IHS Markit KY3P can help
The resources required to conduct a thorough risk assessment is
one of the reasons why many firms ultimately cut corners and
overlook unacceptable risks, but there are ways to minimize the
burden.
The IHS Markit Know Your Third Party solution (KY3P®) helps you
manage the end-to-end vendor portfolio lifecycle on a single
platform. KY3P provides access to a service that quickly conducts
multi-dimensional vendor risk portfolio assessments, an on-demand
service for conducting deeper vendor risk assessments and access to
tools that enable you to continuously monitor risk through
partnerships with industry-leading data providers specializing in
financial health, cybersecurity ratings, data breach analysis,
location risk and more.
Please contact us to learn more.
Posted 14 October 2020 by Alex Golbin, Global Head of Assessment Services, KY3P, IHS Markit
IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.