From: HelpNet Security
Director of Integrated Risk Management Strategy, NAVEX
March 24, 2022
The ongoing global turmoil has tested the supply chain across industries in a myriad of ways – from strained resources and remote workflows to security concerns and more. Sustaining a resilient supply chain is one area where many organizations have seen disruptions and business risk, mostly related to managing third-party vendors.
Recent reports have found that 85% of companies are losing money to third-party integration issues related to their supply chains – some losing over $1 million per year. Much of this is contributed by outdated integration systems – those that are not cloud-based – as well as a lack of end-to-end business process visibility. In addition, 35% of businesses have stated their compliance teams have no way of knowing if third-party partners are compliant. Not only is this a big problem financially, but it indicates that most aren’t aware of what is happening across business transactions, which could contribute to even greater future risk and loss.
To overcome these challenges, businesses must implement an agile risk management program that prioritizes third-party risk management. Building a formalized third-party risk management program that strengthens end-to-end process visibility is a three-step process.
Step one: Define and build the program
Defining the current state of an IT and third-party risk management program is the first step in understanding what is working, and most critically, what is not working. This includes a complete audit of existing vendors and the potential risks they pose; this gives leaders visibility into current risks, identifies addressable risk, and unnecessary future risks that can be preemptively mitigated. This process also enables organizations to create new standards and goals for an improved third-party vendor program. For example, organizations need to understand communication processes between IT and third-party risk management teams to unearth potential issues caused by manual processes, inadequate reporting and/or inaccessibility to relevant data.
Top-down sponsorship and bottom-up execution is also key when developing a third-party compliance program. Organization-wide alignment shifts third-party vendor processes from a “check box” compliance exercise to a consistent, thorough process that underscores the significance of having a risk management program in place. For example, many organizations have a vendor onboarding checklist that includes tasks like reviewing their product/service track record, financial stability and if they’ve run afoul of the law. However, a consistent, thorough process would also encompass activities like ongoing due diligence that regularly checks a vendor’s risk profile for financial, regulatory, and reputational risk.
To break down silos and make adoption more seamless, organizations should consider automating these processes, and integrating with systems of record across the business. This will grow program efficacy, create greater efficiency in operations and most importantly, will support a risk management program that can evolve alongside future compliance needs, workflows, and processes.
Step two: Establish resources, priorities, and foundational assets
A primary reason executive sponsorship is critical is because organizations need to determine what resources are available to actualize plans.
Key stakeholders across IT, HR and risk and compliance will be instrumental in not just the rollout of an improved third-party vendor program, but also in defining the scope. Allocating resources can be anything from identifying internal subject matter experts, formalizing committees, or determining if and how new hires need to be evaluated.
Because you can’t boil the ocean, it is important to understand which vendors have the greatest potential impact to the business. With this data in hand – which is accessed by foundational assets like robust risk management tools and solutions – project stakeholders can prioritize risks by level of importance and formulate an actionable plan.
Lastly, establishing and enforcing a library of controls within these solutions can improve processes and decrease the level of risk. By doing so, the organization can manage enforcement for internal as well as regulatorily enforced best practices, while also ensuring that any third parties with access to these systems follow the same requirements, thereby creating uniformity of process and reducing risk.
Step three: Implement program methodology
In addition to assessing third parties, a key step in building a healthy risk management program is defining metrics. The program methodology should include established reporting standards and target metrics, allowing success to be measured over time. With benchmarks from step one in place, teams can measure how cloud integrations led to overall improvements, or how quickly potential risks were rectified, for example.
Employee training plays a big role here as everyone within an organization needs to be able to navigate third-party risk management solutions with ease. Training should include the entire risk management function and provide repeatable introductions into the change management challenges that are associated with any new program, process, or system.
While a robust solution with automated workflows will certainly resolve integration issues and streamline processes, organizational buy-in for third-party risk management programs is what defines resilient vendor relationships and a healthy compliance program. Using this methodology to create a risk-based strategy will not only help a business establish and maintain a strong vendor supply chain but can help identify future risks enabling teams to mitigate them before they become a business-impacting issue, which is what businesses resilience is all about.