Vendor Risk Management – Keeping Our Eyes on What Matters Most

I’d like to make a bold statement: vendor risk management is easy. Step 1: Use contracts to set expectations, secure audit rights and transfer liability. Step 2: Conduct an assessment to determine if expectations are being met. Step 3: Remediate any issues identified during the assessment. This is very straightforward work.

If this work is easy, why do we struggle with it? The answer is simple – resource constraint. Very few vendor risk management programs enjoy sufficient budgets to address all of the risk we intuitively know is out there. The effort to truly understand and report on an organization’s information security architecture and associated controls can take (at least) several person-weeks. Add statistically meaningful sampling to that and you can expect to double the effort or more. Add operational risk and double the estimate again. Unfortunately, if you’re in the vendor risk management space, you’ll be lucky to be able to devote more than a day or two to assessing a vendor. In fact, I’m aware of several financial institutions that expect each of their assessors to complete upwards of 100 vendor assessments per year.

To accomplish such goals, we use questionnaires like the Shared Assessments Standard Information Gathering (SIG) questionnaire to get our vendors to self-assess and we develop prioritization schemes to restrict who we assess and how frequently we assess them. We purposefully cut the corners where we perceive the risk is lower. Given the inherent resource constraints, this type of risk-focused optimization is appropriate and proper. Unfortunately, summarizing a comprehensive audit into a two-day assessment doesn’t hone in on risk. Instead, it usually results in some sort of awkward policy review.

Too often I see organizations use the number of vendor’s they’ve assessed, the size of their questionnaire, or their ability to find issues with their vendors’ policies as evidence of the success of their vendor risk management programs. While these completeness metrics are operationally useful, they don’t necessarily get to the heart of the matter.

I humbly propose that the best vendor risk management programs are the ones that resolve the most risk per unit of investment. So, instead of thinking in terms of cutting low-risk corners, I think in terms of focusing my limited resources on high risk targets – then making sure that the issues identified get resolved. There’s nothing more pointless than investing in issue enumeration without issue resolution.

Therefore, I design my vendor risk management programs to focus on:

  • High-risk vendors – Focus assessment investment where exposure is the greatest.
  • Controls that directly mitigate high-risk incidents – Consider patch management. Policy may be a predecessor for the vendor’s success but I want to see screen shots of patches. Policy review takes time and doesn’t provide the final answer. I look, instead, at evidence of patching.
  • Controls that fail frequently – Many controls require an accurate inventory: access control, patching, media management. If the vendor can’t count what they need to apply the controls to, how can they succeed? And, as experience shows, maintaining accurate inventories is hard. Checking inventory accuracy is easy; and it’s an excellent leading indicator for probable control failure.
  • Easy-to-find issues – give me the most from my assessment budget.
  • Easy-to-fix issues – give me the most from my vendors’ remediation budgets (they’re resource constrained too.)

At the end of the day, it’s not about vendors assessed, questions asked, or, absent the proper focus, issues resolved. It’s about targeting where the largest risks hide, enumerating those issues, and fixing them without excuse. When budgets are tight, as they always are in the vendor risk world, resolving the most risk starts with a focus on high-risk controls at high-risk vendors and ends with remediation. The assessment itself is just the glue in between.

John Nye, CISA, CISM, CRISC, CISSP, is the Director of Technology Risk Solutions at ProcessUnity, a cloud-based provider of GRC solutions. He is responsible for the governance of ProcessUnity’s cloud-based, software-as-a-service solutions and advises clients in the art of third party vendor risk management. Nye has worked with firms such as @stake, Symantec and Moody’s as an assessor of third-party risk and has served as an information security executive for a mid-size technology service provider – protecting information and managing corporate risk from both sides of the due-diligence table