Vendor Risk Management

Shared Assessments 2015: Trends in Vendor Risk Management

Jake Olcott | May 6, 2015

Vendor risk management professionals representing every industry gathered in Baltimore last week at the annual Shared Assessments conference. I am privileged to serve on the Advisory Board for Shared Assessments and found the conference to be highly informative.

Though it was tough to narrow down, here are 5 key items that I'm taking away from the trip: 

  1. Third party risk management has become one of the most important risk issues facing organizations today. In addition to the growth of the vendor risk management professional, senior executives and boards increasingly find themselves involved in third party risk management as it has become an accepted - and important - element of a director/officer’s fiduciary duty to the company. Participation in Shared Assessments and the annual conference has grown in recent years, a testament not only to the interest in the issue, but also to the leadership of Cathy Allen and the team.
  2. Just as cyber risk management requires a whole-of-company approach, a sophisticated vendor risk management program requires governance, policy, training, and technology (tools) to be effective. I heard a lot about the importance of collaboration between legal, procurement, and business units when identifying and managing third party risks. In terms of process and governance maturity, vendor risk management seems to be where cyber risk management was several years ago. 
  3. For a vendor risk management team to succeed, costs must be reduced. I was very surprised to hear about the average costs of on-site assessments. Members are working hard to encourage “sharing” of assessments in order to reduce costs for both first and third parties. Iron Mountain has been a real leader in this work.
  4. Though some highly sophisticated organizations are already there, many participants want to monitor their vendors in real time as a way of implementing their vendor risk management programs. This was reminiscent to me of the time before "continuous monitoring" of one's own network and environment became a standard accepted practice. BitSight is already helping many of these teams to monitor vendors in real time.
  5. There is widespread interest by regulators in third party risk management, but regulators have not yet been prescriptive about the content of those programs. From the OCC to the SEC, and SIFMA to PCI, regulators across the country are asking questions about whether or not regulated entities have third party risk management programs in place. Time will tell whether regulators will begin mandating the existence of certain programmatic elements.

At the end of the day, with so much interest in third party risk management, I wonder how businesses will keep up with the increased security demands by their partners. I heard from at least one participant that his organization planned to dramatically reduce the number of vendors that they use in order to reduce vendor risk. Is this a trend? What does it mean for small business? I expect this will be a key theme that businesses across all sectors will be dealing with in the months and years ahead.

Let me know what you think - you can reach me at

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.