There’s no doubt that working with third-party vendors and/or suppliers carries a very real risk, particularly in the context of regulatory requirements. In 2018 alone, the rate of data breaches experienced through IT systems of third-party providers rose by around 75% when compared to 2017. For 2019 that figure will go even higher.
Everyday it becomes more important for organisations to minimise their risk by ensuring that vendors and suppliers remain compliant, especially as third-party cyber threats continue to evolve and become more difficult to manage.
If that wasn’t enough, IBM study also found that data breaches originating from third-parties were likely to cost companies USD$370,000 more than the average. This highlights how companies must begin to adapt, but also ‘closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.’
Apart from being essential to maintaining an effective cybersecurity program within your organisation, effective vendor governance – or, more specifically, vendor risk management – is also a requirement of many industry standards.
In other words, effective vendor governance isn’t just a lofty goal you should aim for. It’s a key part of doing business nowadays. Get it wrong, and you could land yourself in hot water very quickly.
The best way to achieve and maintain effective vendor governance is to ensure you have structured and efficient processes in place. This starts with people…
Effective vendor risk management requires much more than simply writing up a set of rules for your vendors and suppliers. Remember, each vendor or supplier is different – not only in terms of what they do, but how they relate to your business.
With this in mind, the Institute for Supply Management has identified five key tips to help you manage these relationships:
1. Think about the money
Try and calculate the amount of money you spend with each vendor. This will help you determine how important each vendor is to your business, and pinpoint who your key suppliers are.
2. Segment your vendors
Most businesses segment their vendors into three key categories: Strategic key suppliers, important vendors and tactical vendors. Rather, you should segment your vendors based on what makes the most sense for your business. This can then serve as a guide for your activities and interactions with each vendor.
3. Collaborate
You’ll find it much easier to effectively manage your vendors if you collaborate with them. This includes sharing information, technologies and open communication. In addition to creating value and cost savings for both parties, it should lead to greater visibility between the two businesses.
4. Focus on improvement
When it comes to managing the performance of vendors, this should go further than setting targets. The focus should be on improving processes for both sides. Be willing to give feedback, and just as willing to receive it.
5. Assess, assess, assess
Effective vendor risk management requires frequent and detailed assessments, many of which are required by industry standards. These should be complemented by ongoing monitoring activities, as well as contingency plans for every risk area identified.
In a world of evolving delivery models and growing suppliers, here are three best practices for effective vendor governance and risk management:
1. Get clear on controls
You must define a clear set of information security controls that vendors will need to satisfy. These can then be turned into a template assessment, which can be sent to vendors. Key topics might include identity and access management, physical security, security monitoring, cryptography, and business continuity management.
Controls, and assessment questions for testing those controls, should be specific, direct and close-ended (questions that can be answered with a ‘yes’ or ‘no’). This will give you a better indication of the vendor’s cyber maturity.
2. Automate Assessments
If you choose to manually assess your vendors, this will prove time-consuming, costly and painful. Wherever possible, the assessment process should be automated. In addition to saving you time and money, this will reduce human error and help you obtain more in-depth risk insights.
3. Check there’s no conflict of interest
Before signing a contract with a vendor or supplier, you should ensure there is no conflict of interest between the vendor’s own interests and the interests of your organisation. You should also take steps to ensure that engaging the vendor won’t harm your organisation in any way.
As a first step, you should identify a list of scenarios in which a conflict of interest may exist, or where entering into a vendor relationship could harm your organisation. Examples include:
– Where a member of the organisation is an owner of or holds a direct financial interest in the vendor;
– Where engaging the vendor might violate legal restrictions or sanctions against countries;
– Where fraud or corruption charges have previously been levied against the vendor;
– Where gifts have been exchanged between the parties; or
– Where the vendor relationship is likely to cause media exposure.
Every potential vendor should be subjected to a thorough check. Riskier vendor relationships should undergo more in-depth examination and assessment.
While it may sound daunting, it is possible to achieve effective vendor governance in your business. And it’s definitely worth doing, as you’ll save yourself a lot of time, money and stress in the long run. Here are three key points to remember:
1. Choose your vendors carefully
Focus on choosing the right vendors for your business, rather than thinking solely of the financial gain. Ask yourself: Is this partnership mutually beneficial for both parties?
2. Avoid having too many vendors
If you have too many vendors providing similar services, you may struggle to develop each partnership properly. Focus on building solid relationships with a smaller number of great vendors.
3. Maintain open communication
Open and truthful communication is the key to successful partnerships. If a vendor is having performance issues, discuss those issues openly and give the vendor a chance to improve.
The team at 6clicks has developed a tool to help you address issues of vendor governance and compliance head-on.
6clicks empowers sales teams and organisations to simplify vendor risk assessment and compliance at a fraction of the cost of other solutions.
If you want to stay up to date with the latest industry news, insights and all things 6clicks, subscribe to our monthly 6clicks Newsletter here!