Wrestling with Vendor & Incident Response Management

I’m sitting in the bleachers watching my sophomore son wrestle in an all-day varsity tournament. As the bodies tangle, each wrestler is looking to expose and act on their opponent’s vulnerability.

As I thought about strategy I realized this process is similar to managing vendor risk. This week, the Shared Assessments Program is hosting its annual third party risk management Summit, with the theme The Changing Dynamic of Third Party Risk Management showcasing trends and threats of vendor risk.

To be a successful wrestler it requires the consistent execution of multiple techniques, while managing energy over time. Third Party Risk Management also requires that a business customize its vendor management program across business units, vendor types, and new acquisitions. Like wrestling, this all has to be done on a timeline and managed as efficiently as possible. Building a consistent and repeatable process is crucial for wrestlers and vendor risk managers to be successful.

Recently, I was fortunate to attend a panel discussion provided by Shared Assessments titled “Building Best Practices for Monitoring Third Party Incident Event Management Programs.” During this presentation I learned that “Just 43% of incident management professionals report their organization has a formalized incident management plan and only 9% deem their program to be “very effective.”. This is a frightening statistic and in wrestling terms, it will get you pinned fast at the Varsity level!

Fortunately, for the 57% that do not have a program in place, the Shared Assessments Panel provided some steps to build an effective Vendor Incident Management program. Those steps include determining and validating at both the internal and vendor level:

  • The need for an incident response team.
  • The types of expertise that team carries.
  • The documentation of each team member’s roles and responsibilities.

Organizations should set the goal of validating three interrelated segments of incident event management:

  • Pre-incident preparation (planning and testing).
  • Incident response that executes the plan and holds to its integrity.
  • An active response to lessons learned and retention.

The Shared Assessments Program partnered with the Ponemon Institute on a “Tone at the Top” look at third party risk, with survey results being released this week. In that survey 78% felt that cyber security threats would significantly increase third party risk and 59% either are not effective, or have not assessed third party controls to reduce risk.

To effectively execute proper wrestling technique, a repeatable process is required. This is also a requirement for an effective vendor incident response plan. The following graphic provided by the Shared Assessments panel is an example of an incident process lifecycle that includes process repeatability.

At any level in wrestling, your reputation is at stake. The most trained wrestlers are always defending their reputation against the smallest error, program gap, and strong competition. It’s a constant protection effort. Losses are part of the game, but it is how a wrestler recovers and moves forward that either builds or tarnishes their reputation. The same holds true for a business. While the process above will help a business build a mature vendor incident response plan, what are the steps a wrestler or business should take when a loss or breach has happened?

Each needs to begin with the eradication and recovery process. This would include identifying the cause, and its severity. The wrestler needs to be prepared for the prosecution from his peers much like the business must be prepared for the litigation and potential regulatory review. It’s also essential for both to resume operations once these steps are complete.

Remediation management is the next critical step. Policies and Procedures must be reviewed and this might include updates to contract language, education of consumers and staff, ensuring continued dialogue with the vendor, and ensuring the correct support personnel are involved.

Once the dust settles and remediation management is complete, it’s time to focus on the post incident contract response phase. This will include determining root cause, rebuilding trust with the vendor or contract termination, and potentially winding down and off boarding. The wrestler looks to see if he underestimated his opponent, similar to the business determining if it improperly scoped the vendor. For example, root cause may uncover that an unknown fourth party was the cause of the incident. It’s the responsibility of the business to thoroughly validate its vendors and their supporting vendors.

It’s clear that vendor risk management has a direct impact on a business’ reputation and ultimately its profitability.

Like a wrestler, businesses are constantly tangling with new opponents and challenges. The need for a repeatable vendor incident management process is key to having a mature vendor risk management program. The changing regulatory landscape requires a solid vendor risk management program. It doesn’t matter if the third party relationship is young or mature; businesses are now competing at the varsity level of vendor management.

Darin Hartman Darin Hartman is a Risk Governance Analyst on Deluxe Corporations Business Risk and Compliance Team.  Darin is located in Kansas City where he focuses on managing the risk, audit, and due diligence processes for Deluxe’s external client relationships.  Darin has been with Deluxe for 27 years, most recently holding positions in Reporting & Analytics and Business Risk & Compliance.

Reposted with permission from Deluxe Blogs