Vendor Risk Management

Shared Assessments 2015: Trends in Vendor Risk Management

Jake Olcott | May 6, 2015

Vendor risk management professionals representing every industry gathered in Baltimore last week at the annual Shared Assessments conference. I am privileged to serve on the Advisory Board for Shared Assessments and found the conference to be highly informative.

Though it was tough to narrow down, here are 5 key items that I'm taking away from the trip: 

  1. Third party risk management has become one of the most important risk issues facing organizations today. In addition to the growth of the vendor risk management professional, senior executives and boards increasingly find themselves involved in third party risk management as it has become an accepted - and important - element of a director/officer’s fiduciary duty to the company. Participation in Shared Assessments and the annual conference has grown in recent years, a testament not only to the interest in the issue, but also to the leadership of Cathy Allen and the team.
  2. Just as cyber risk management requires a whole-of-company approach, a sophisticated vendor risk management program requires governance, policy, training, and technology (tools) to be effective. I heard a lot about the importance of collaboration between legal, procurement, and business units when identifying and managing third party risks. In terms of process and governance maturity, vendor risk management seems to be where cyber risk management was several years ago. 
  3. For a vendor risk management team to succeed, costs must be reduced. I was very surprised to hear about the average costs of on-site assessments. Members are working hard to encourage “sharing” of assessments in order to reduce costs for both first and third parties. Iron Mountain has been a real leader in this work.
  4. Though some highly sophisticated organizations are already there, many participants want to monitor their vendors in real time as a way of implementing their vendor risk management programs. This was reminiscent to me of the time before "continuous monitoring" of one's own network and environment became a standard accepted practice. BitSight is already helping many of these teams to monitor vendors in real time.
  5. There is widespread interest by regulators in third party risk management, but regulators have not yet been prescriptive about the content of those programs. From the OCC to the SEC, and SIFMA to PCI, regulators across the country are asking questions about whether or not regulated entities have third party risk management programs in place. Time will tell whether regulators will begin mandating the existence of certain programmatic elements.

At the end of the day, with so much interest in third party risk management, I wonder how businesses will keep up with the increased security demands by their partners. I heard from at least one participant that his organization planned to dramatically reduce the number of vendors that they use in order to reduce vendor risk. Is this a trend? What does it mean for small business? I expect this will be a key theme that businesses across all sectors will be dealing with in the months and years ahead.

Let me know what you think - you can reach me at jolcott@bitsighttech.com

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.

READ MORE »

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »

A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...

READ MORE »

Subscribe to get security news and updates in your inbox.