Shared Assessments 2015: Trends in Vendor Risk Management
Jake Olcott | May 6, 2015
Vendor risk management professionals representing every industry gathered in Baltimore last week at the annual Shared Assessments conference. I am privileged to serve on the Advisory Board for Shared Assessments and found the conference to be highly informative.
Though it was tough to narrow down, here are 5 key items that I'm taking away from the trip:
Third party risk management has become one of the most important risk issues facing organizations today. In addition to the growth of the vendor risk management professional, senior executives and boards increasingly find themselves involved in third party risk management as it has become an accepted - and important - element of a director/officer’s fiduciary duty to the company. Participation in Shared Assessments and the annual conference has grown in recent years, a testament not only to the interest in the issue, but also to the leadership of Cathy Allen and the team.
Just as cyber risk management requires a whole-of-company approach, a sophisticated vendor risk management program requires governance, policy, training, and technology (tools) to be effective. I heard a lot about the importance of collaboration between legal, procurement, and business units when identifying and managing third party risks. In terms of process and governance maturity, vendor risk management seems to be where cyber risk management was several years ago.
For a vendor risk management team to succeed, costs must be reduced. I was very surprised to hear about the average costs of on-site assessments. Members are working hard to encourage “sharing” of assessments in order to reduce costs for both first and third parties. Iron Mountain has been a real leader in this work.
Though some highly sophisticated organizations are already there, many participants want to monitor their vendors in real time as a way of implementing their vendor risk management programs. This was reminiscent to me of the time before "continuous monitoring" of one's own network and environment became a standard accepted practice. BitSight is already helping many of these teams to monitor vendors in real time.
There is widespread interest by regulators in third party risk management, but regulators have not yet been prescriptive about the content of those programs. From the OCC to the SEC, and SIFMA to PCI, regulators across the country are asking questions about whether or not regulated entities have third party risk management programs in place. Time will tell whether regulators will begin mandating the existence of certain programmatic elements.
At the end of the day, with so much interest in third party risk management, I wonder how businesses will keep up with the increased security demands by their partners. I heard from at least one participant that his organization planned to dramatically reduce the number of vendors that they use in order to reduce vendor risk. Is this a trend? What does it mean for small business? I expect this will be a key theme that businesses across all sectors will be dealing with in the months and years ahead.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...