Vendor Risk: Where We Need Work
Protiviti and the Shared Assessments Program are out with a new report on vendor risk management. Compliance officers talking with your board lately about those efforts may want to give it a close read.
The most visible point in the report is that businesses are improving at vendor risk management. That’s a good thing, since vendor risk is growing so rapidly. The report is full of longitudinal data over several years, breaking down the components of vendor risk management into a maturity model—and showing that, slowly but surely, businesses are marching up that maturity curve.
The report surveyed more than 500 risk management executives across a range of industries, and used the Vendor Risk Management Maturity Model (colorfully abbreviated as VRMMM) to identify eight component tasks for successful vendor risk management. Then it rated respondents’ confidence in their ability to do those tasks well, on a scale from 0 to 5.
So what do we have for good news?
- Overall maturity of vendor risk management programs has increased from 2.6 in 2015 to 3.0 today.
- Across all industries studied (financial services, insurance, healthcare provider, and “all other”), every sector improved at vendor risk management; and improved in each of the eight components in VRMMM.
- On the paramount issue of cybersecurity, vendor risk management has improved even more dramatically: from 2.5 in 2015 to 3.4 today. The percentage of boards “highly engaged” in cybersecurity issues is up, and the percentage not engaged is down.
Derisking: Seize on This Idea
The Protiviti report also talks about derisking: a company’s wholesale movement away from certain types of third parties that might pose too great a risk. A majority of companies, the report says, either are derisking or plan to derisk next year—and for compliance officers, the reasons for derisking are crucially important.
The reasons for ending or changing vendor relationships to reduce risk are eye-opening. They include fourth-party risk assessment (which represents the primary reason), costs (associated with assessing vendors), and a lack of internal support and skills required to test vendor controls sufficiently. For C-suite executives and healthcare provider organizations, a lack of internal resources represents the top reason for derisking.
None of that should surprise compliance officers. For years, we’ve been talking about efforts to manage our own vendors and third parties, to various degrees of success—“but it’s their third parties, and those parties’ third parties, and so on, that really worry me.” I cannot tell you how many times I’ve heard that line.
That’s what fourth-party risk is. And we’re still not good at it, so companies are dumping vendors because of it.
Compliance officers should use that fact as an argument to invest in stronger vendor risk management—because, after all, we are all somebody else’s third party. Therefore our third parties are that other organization’s fourth party. If you can demonstrate that your vendor risk management is strong, you reduce fourth-party risk for your customer. You make yourself more attractive relative to your competitors.
Sure, strong vendor risk management has plenty of upside for internal operations too, as the organization simplifies procurement processes or reduces regulatory enforcement risk. You’re not wrong to argue for stronger vendor risk management on those grounds alone.
But remember, we all run around talking about how the compliance function can “add value as a strategic advantage” like all the MBA thought leadership gurus say. This is how you can add value: by making your own company a more attractive third party to prospective customers, because your vendor risk management shields them from the fourth-party risk they know exists, but can’t quite see.
Communication Gaps?
One troubling point jumped out to me on Page 4. There, Protiviti broke out confidence in vendor risk management by role within the company. And we see this pattern below.
Namely, the higher in the company you are, the less confident you are in your vendor management program.
I’m not sure how to interpret this data. Clueless senior executives are nothing new in Corporate America, so we could conclude that most senior executives like to worry about risk, but don’t really know what their organizations do on a daily, practical level to manage risk. That’s plausible. We’ve all been in organizations like that.
At the same time, however, clueless low-level employees are nothing new in Corporate America either. It’s also plausible that senior executives are worried to an appropriate degree, because they can see the totality of sensitive data stored in the cloud, the incomplete vendor assessments, the logs of security control failures, and so forth. Meanwhile, lower-level employees are in their silos, where most things seem mostly good most of the time. We’ve all been in organizations like that, too.
The only conclusion we can draw is that a gap in confidence exists between senior and junior ranks. Which means we have a communication problem.
I’ve spoken and written about this phenomenon elsewhere. In military strategy circles it’s known as the OODA Loop: observe, orient, decide, act. The faster your OODA Loop runs, the more actions you can take, and therefore the more successful you can be in combat.
In complex organizations, however, the OODA Loop works best where senior executives set broad goals and build a strong, trusting organizational culture, while junior executives have great freedom to execute tactics on a daily basis. And for that to work, the organization must have loops that not only communicate the goals downward; they must also send feedback upward, so senior executives know what is, or is not, happening on the front lines.
True in battle, true in business. If the Protiviti data is any indicator, however, we’re still struggling with that.