In today’s regulatory environment, just being affiliated with a person or organization that is a cybersecurity risk could lead to irreparable financial, operational, and reputational damage to your business. Companies need to know and track who and what they are connected to in the course of doing business. This includes assessing third-party vendor risk (TPRM).
ACA Aponix recently conducted the webcast Vendor Risk: Due Diligence, Scaling, Analysis, and Ongoing Oversight. During the webcast, I spoke with Brian1, compliance manager at a global private equity firm, about challenges he’s faced related to managing TPRM and how he addressed those challenges.
A recurring theme throughout the webcast was the necessity for companies to create a culture of awareness and engagement among their stakeholders – the managers who have the most direct interactions with vendors.
“Those business units are face to face with vendors and know what their risks are,” said Brian. “They are the people who need to be involved every step of the way to evaluate who they’re trying to onboard.”
This team approach is essential to understanding and mitigating the risks that could result from third-party vendor relationships.
Brian offered the following tips for a team approach to vendor risk management:
Ask Stakeholders About High-Risk Vendors
It’s key to assign vendor criticality – the types of data they access, their operational role in your business model, and what value they bring to your strategy. Sweeping new regulatory requirements such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) expand the definition of personally identifiable information (PII) to include almost every piece of data. “It’s the people on the ground interacting with the third parties who are in the know,” Brian said.
And watch out for blind spots. “The flower guy wasn’t on our risk assessment,” said Brian, of his organization. “They weren’t on our servers, but they had physical access [to our office].”
Tailor Questionnaire Templates
“The biggest issue that we had when we initially launched [our compliance program] was we were trying to do a ‘one size fits all’ program,” said Brian. “Vendors would say, ‘Why am I being asked this question? It has nothing to do with the service we’re offering your business.’”
He recommended that organizations launch tailored vendor assessments using due diligence questionnaires (DDQs) that are relevant to each specific vendor type. Be prepared to challenge incomplete or vague responses that make it difficult to analyze their risk with sufficient rigor. This can be done more efficiently by outsourcing the job to a trusted partner, which can help customize DDQ questions based on jurisdiction-specific regulations or other qualifications, making it easier for vendors to provide the data you need to do business. An outsourced solution reduces overhead, makes it easier for stakeholders to manage, and helps establish productive client-vendor collaboration.
Talk to the Team About the Upside
Brian noted that trying to manage vendors with an in-house program took 10-12 hours for review per vendor, and the commitment added up for his company.
Vendor risk management efforts that are well designed and implemented trim the costs of processing vendors, while also boosting the number you can onboard. Working with an outsourced partner to get this done can deliver efficiencies of more than 67% and help ensure your business is not exposed to unnecessary risk from beyond your four walls.
1Brian has requested to remain anonymous.
How ACA Can Help
ACA’s vendor management outsourcing service (VMOS) allows your firm to offload the vendor due diligence and risk assessment process. Our team of experienced information security risk analysts can administer due diligence questionnaires (DDQ), analyze DDQ responses, identify vendor risks, and report on results so your company can focus on more strategic tasks. Our tailored DDQs include over 300 questions and are customized for each vendor type to provide an accurate assessment of possible risks.
Vendor Management Resources
The following ACA resources are available to help your firm navigate the complexities of vendor risk management:
- Webcast: Vendor Risk: Due Diligence, Scaling, Analysis, and Ongoing Oversight
- Case Study: ACA's Vendor Management Outsourcing Service for a Global Private Equity Firm
- White Paper: Small Banks, Big Regulations: How Credit Unions and Small Banks Can Use a Value Approach for Third-Party Vendor Risk Management
About the Author
Marc Lotti is a Partner at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Prior to ACA’s acquisition of the firm, Marc served as Chief Operating Officer of Aponix Financial Technologists, which he cofounded. He invented and funded UFlexData, a turnkey cloud IaaS platform for SMBs, while in a leadership role at Mandragore, a boutique consultancy firm he founded. Marc has had a notable career in financial technology, risk, and governance, having worked for Goldman Sachs, Merrill Lynch, American Express, and Fuji Securities, among other financial firms since the early 90s.
Marc earned his Bachelor of Arts degree in Economics from Stony Brook University and his MBA from the Thunderbird School of Global Management. In addition, he is a Project Management Professional (PMP®) and certified in the Governance of Enterprise IT (CGEIT).