Year: 2017

Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

The GRC Pundit Blog, Third Party Management SolutionsPublished onUpdated onLeave a Comment on Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

Organizations are porous: the modern organization is not defined by brick and mortar walls but is a complex web of business relationships. These relationships span vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, intermediaries. It grows even more complex as there are nested relationships in subcontractors and supply chains. Approximately half of a typical organizations “insiders” are no longer employees but are third party relationships.

The issues organizations face in managing vendor and third party risks are growing. These range from growing challenges in anti-bribery and corruption compliance (e.g., UK Bribery Act, US FCPA, OECD Bribery Convention), human rights and slavery (e.g., US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, California’s Transparency in Supply Chains Act), environmental, health and safety, physical security, business continuity and more.

However, one of the growing challenges organizations face is information/cybersecurity across third party relationships, particularly vendor relationships. A significant number of information/cybersecurity breaches are the result of third party vendor relationships. It is not just IT related vendors that put organizations at risk, but could be a wide range of vendor relationships. The Target breach from a few years back was the result of a heating and air conditioning vendor (HVAC) that was broken into that had a connection to the Target network. With the Internet of Things (IoT) upon us, it has become critical for organizations to address information security in and across their third party relationships.

I am doing a series of educational webinars on this specific topic over the next three weeks. These are as follow:

Here is my specific advice on how to go about purchasing solutions for vendor and third party risk management:

Additionally, here are some of my research papers that I have published on this topic:

Considerations and Lessons Learned from GRC RFPs

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Considerations and Lessons Learned from GRC RFPs

The GRC technology market landscape is broad with over 800 solution providers across seventeen segments of GRC (see bottom of this post for a breakout of GRC segments). Approximately seventy solutions can be characterized as Enterprise GRC platforms while hundreds of solutions focus on specific areas/segments of GRC with focused solutions.

In 2016, GRC 20/20 answered 412 inquiries from organizations looking for GRC related solutions and was actively involved in nearly a dozen formal RFPs that leveraged the GRC 20/20 RFP templates and libraries – some for Enterprise GRC, others for policy management, compliance management, risk management, audit management, issue reporting/management, IT GRC, EH&S, and more. Forty-one percent of these came from North America, 28% from Europe, and then rest of world. The most dominant role that interacts with GRC 20/20 is compliance, followed by risk management, then internal audit, and IT/information security. Approximately 30% of these interactions were for Enterprise GRC Platforms while 70% of GRC 20/20’s interactions were for more focused solutions and implementations.

GRC 20/20 is focused on helping organizations navigate solution provider hyperbole to get to the honest features and functionality to ensure the right technology is selected that has the correct capabilities that the organization needs.

One of the greatest challenges and frustrations I have in RFPs is the way many solution providers respond to them. They simply answer yes to every question with the thought that it is something that just needs to be built out and customized on their platform. Every year I hear horror stories of rollouts of a solution that take up to two years to build out and implement – all because the organization chose a solution that promised the world in RFP responses but did not have the functionality and features existing in the solution. Further, analysts like Gartner often rank and score these solutions very highly although their evaluation of solutions is getting lighter and lighter. Some of their recent Magic Quadrants for GRC related areas only want video demos and do not sit down with the solution and go through it feature by feature. I have even heard that one recent Magic Quadrant in a GRC area is not even requiring a video demo and just wants answers to questions in a survey, Gartner will determine if they want to see the product.

The level of customization in these multi-year rollouts have significantly hurt a few major solution providers in the GRC market that find that upgrades are extremely difficult and often break. Leaving clients frustrated and unhappy. Three RFPs that I worked on this past year specifically stated they would not consider solution providers that Gartner and Forrester consistently rank in the top leader position because of their experience with the level of customization, length of rollout, cost of ongoing administration, and had things break on upgrades in previous positions at other companies.

Please note: there are many great solutions across GRC domains/segments. Solutions that have proven great value with strong features that can be rolled out rapidly and not be an engagement the size of an ERP implementation.

To provide clarity on features and functionality, I historically have had drop-down fields in GRC 20/20’s RFP templates that ask if the functionality is a ‘native’ feature in the application or something that has to be ‘built-out’ and customized. To provide greater granularity into solution provider responses, I have now updated the GRC 20/20 RFP template library to have the four-fold drop-down responses that organizations should consider (this is from interaction and collaboration with one major GRC player looking to address these challenges head-on):

  • Personalization. Is this feature something that requires no-code changes and can easily be done by a business user to suit their individual needs and preferences? It is completely upgrade safe?
  • Configuration. Is this a feature that can be easily configured by a power-user or IT developer without coding and is completely safe during upgrades?
  • Extension. Is this a feature that can be done by a power-user or IT developer that requires coding but is upgrade-safe?
  • Customization. Is this a feature that requires working with the solution provider (or professional services) to deliver functionality with coding? Will additional effort be needed for testing during upgrade processes?

This is one careful area of evaluation when looking at solutions across GRC related areas. I will be detailing other considerations in GRC related RFPs and evaluations in future posts.

GRC 20/20 segments the GRC market, with RFP templates, across the following seventeen domains:

  • Enterprise GRC. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
  • Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics.
  • Automated Control Monitoring & Enforcement. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
  • Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
  • Compliance & Ethics Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
  • Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
  • Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
  • Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
  • IT GRC/Security Management. Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
  • Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
  • Legal Management. Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
  • Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
  • Policy & Training Management. Capability to manage the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
  • Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
  • Risk Management & Analytics. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
  • Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
  • Third Party Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.

Supporting Research Briefings on the topic of purchasing GRC technology are:

Increasing Exposure of Third Party Risks 

The GRC Pundit Blog, Third Party Management SolutionsPublished onUpdated onLeave a Comment on Increasing Exposure of Third Party Risks 

The Modern Organization is an Interconnected Mess of Relationships

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?

Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.

Additional resources on Third Party Management

Research Briefings

Upcoming Webinars

Written Research