Shared Assessments’ Vertical Strategy Groups (VSGs) from the Asset Management, Financial Institution and Insurance sectors have been exchanging views on Vendor Performance in the post COVID-19 landscape. The VSG groups have approached Vendor Performance from a radar paradigm considering risks from the positional and velocity perspectives. Through the exchange of viewpoints between industries and roles we have distilled actionable steps to make your organization more secure and resilient in a dynamic threatscape. This blogpost identifies KRIs for Vendor Performance (key risk indicators) in regard to Financial Health, Resilience/Business Continuity, Security and Velocity of threats and offers corresponding tactics to mitigate each threat.
Financial Health is a measure of a vendor’s viability, stability and longevity. In the post-COVID landscape, you must understand your vendor’s financial health. Risk associated with vendor ability to access to cash is a growing concern. When access to cash scarce, the viability of many businesses is strained. (A comprehensive view on risk and financial health is covered in the post “Third Party Financial Health A Leading Indicator For All Areas of Risk.”) Below are KRIs and Risk Mitigators around Financial Health.
Resilience / Business Continuity examines Vendor Performance and associated risk from a planning, concentration and operational perspective. How do your vendors plan to move forward in the wake of catastrophic or cybersecurity events? Are your third parties located in one particular geographic location? What are the risks in this location? How nimbly can your vendor transition into full-production under duress? Can your outsourced call-centers uphold their commitments as outlined in Service Level Agreements? Read on for KRIs for Vendor Performance around Resilience.
Security Risk pertains to the upended concept of work environment. As in your own organization, a vendor’s employees are likely to be working from home. What controls are present and validated on those home networks? Existing threats around cybersecurity have always been lurking; new issues have been introduced with the major shift to work-from-home in the modern era.
Garmin, fitness watch and GPS maker, shut down its website and call centers this July after experiencing a debilitating ransomware attack. Pilots were unable to download Garmin’s aviation database on their Garmin navigational systems. This is one of the countless examples of a cyberattack interfering with a critical business function.
Below, find KRIs for Vendor Performance in regard to Security Risk and methods to diffuse these threats.
Velocity of Risk has accelerated in the wake of COVID-19 calling on risk managers and their programs to address, manage and prioritize resources. From vendor onboarding to exit strategy, it is essential to understand the risks mentioned in this post and to be prepared to respond accordingly.
Keep these risks on your radar screen. Observe these KRIs with ongoing monitoring and solve for a solution remotely, in our virtual work world. Respond to new risks by reallocating resources and adjusting programs. Review vendor contracts from before COVID and adjust for the new threatscape.
This comprehensive blogpost is based on the Shared Assessments philosophy that “the power of many protects and builds trusted communities.” Through collaboration, we assembled member’s real-world experiences in variety of Risk Programs across several industries to bring to light these KRIs and solutions. To learn more about our member projects and activities, navigate to our committees page or to inquire about joining our groups email firstname.lastname@example.org.
Thank you to the Shared Assessments Cross Vertical Strategy Group Vendor Performance Contributors:
Jen Duest, Vice President – Global Third Party Risk and Corporate Insurance Manager, Wellington Management Company LLP (AM -VSG Leadership Team Member)
Nasser Fattah, Cybersecurity Executive (FI-VSG Co-Chair and Shared Assessments Steering Committee Vice Chair)
Assett Management Vertical Strategy Group
Emily Irving, VP RQA, Third Party Risk Management, BlackRock, Inc. (AM-VSG Founder, Leadership Team Member and Shared Assessments Steering Committee Chair)
Financial Institution Vertical Strategy Group
Philip L. Bennett, Manager, Information Security Governance, Metrics & Analytics, Navy Federal Credit Union
Jennifer Grant, Third Party Risk Analyst, Boeing Employees Credit Union (BECU)
Terri Hendrix, Vice President, Vendor Management Office, TIAA Bank (Acquired EverBank)
Robert Maley, Chief Security Officer, NormShield, Inc.
Mary Kay Merkt, SVP Director Vendor Management & Procurement, Johnson Bank
Frank Roppelt, Senior Manager, Security Policy and Vendor Risk, TD Ameritrade
Geoffrey Wolkis, Senior Analyst – Third Party Cyber Risk | INFOSEC Risk, LPL Financial Services
Rich Zendrosky, VP – Head of TPRM, Investors Bank
Insurance Vertical Strategy Group
Roger Booth, Information Security PM, MassMutual Financial Group
Gregory Goldstein, VP, Head of TPRM, Prudential Financial, Inc.
Dina Letteri, Corporate Vice President: Information Security & Third Party Risk Management, New York Life Insurance Company
Barry Peterson, Senior Security Controls Specialist, Jackson National Life Insurance Company
Jacob Retz, Compliance Analyst, State Farm Mutual Automobile Insurance Company
Gary Tongate, VP, Enterprise Risk Management, Employers Insurance
The Santa Fe Group
Jessica Calzada, Project Manager,The Santa Fe Group
Bob Jones, Senior Advisor,The Santa Fe Group
Charlie Miller, Senior Advisor,The Santa Fe Group
Sylvie Obledo, Senior Project Manager,The Santa Fe Group
Sabine Zimmer, Marketing Manager,The Santa Fe Group