The evolution of vendor risk management

The evolution of vendor risk management

By Alice Kelly, Head of Research and Production, CeFPro

Vendor and third party risk management is a rapidly evolving discipline with advances developing as the industry continues to place reliance on outsourcing services. As a result, regulation and internal governance and controls are increasingly more stringent and resource intensive to ensure security of the institution and its customers. The discipline and the skills required have evolved dramatically in recent years, with technology advances and innovation across the industry, the threat of external breaches or loss of data are increasingly real.

The Center for Financial Professionals interview over 40 senior vendor, third party, procurement and outsourcing professionals to gain an insight as to the current state of the industry and concerns for the profession on a day to day basis. The below are some of the key areas highlighted by numerous sources as areas ‘keeping vendor professionals up at night’.

One of the initial areas of focus came internally, with so many institutions operating under legacy systems with builds implemented on top of these and operating in multiple silos to manage vendor risk. Many posed the question as to how they can bring all of these systems together to increase information sharing and meet oversight and governance expectations.

“Everybody is at different stages of maturity and using different tools, it’s almost like looking at your whole process… There are so many opportunities with tool sets that people just don’t link… its looking at all of the tools across the different touchpoints across your lifecycle, but organisations are so different, that’s part of the challenge as well, different levels of complexity to manage the data.”

“So on the one hand you have the TPM organization that is responsible for the suppliers, then you have the InfoSec teams and risk teams… but it’s interesting we have had to deal with a lot of siloed approaches from a lot of these risk teams and sort of try to work internally to break down those barriers.”

 “Companies are struggling with how to expose or become more engrained within the vendors from a TPRM perspective … it brings up a lot of InfoSec challenges in terms of you have to expose your network to your vendors which makes the InfoSec people unhappy or you have to use different kinds of tools and then integrate it manually to your data, and there’s a trend towards people separating out their TPRM from their broader risk management capability.”

As would be the expectation within vendor and third party risk, cyber concerns and information security featured highly within the list of priorities for the coming year. This was closely related to the above topic where many mentioned aligning InfoSec teams and overall vendor and third party management. Oftentimes the information and cyber security review of vendors falls within the vendor risk team, which draws back to the original point on the skills of the vendor risk professional and expectations for increased cyber knowledge and expertise.

“I will describe it as the evolution of the vendor risk management professional, this person is being asked to manage risk but to do so in a really quick fashion, be much more responsive to the business interest and needs… how does a vendor risk manager adapt to this new environment and that’s where we are seeing evolution in who this is, their professional background, tech savvy, responsive to business, not just compliance but active risk management function.”

“The interlocks needed from a governance perspective, whether that’s from a senior point or from a measuring reporting point around your vendor risk or in the details across your stakeholder groups because you find that you tend to be facilitating the risk management of cyber risk related to vendors or the contracts to cover off your cyber risk, there is a tonne of areas in cyber risk that vendor managers tend to be facilitating even though they’re not cyber risk experts so I think that’s interesting to see how they do that effectively.”

“Cyber usually comes from a very macro perspective and to have a one size fits all but it has to be narrowed down a little bit and particularly in contracts, companies are putting clauses in contacts related to cyber security and I think it would be really interesting to hear what people are doing, the other governance is always an evolving state, so getting the Board involved.”

“Cyber is very high, it’s what a lot of people are really concerned about. Some of the things that have been going on in our world are the shrinking number of vendor assessments, it seems to me that this space is at a crossroads, we were at a conference and the number of speakers that were set up with the whole questionnaire was at an all time high, people are really starting to take a much more critical view of the questionnaire and the vendor assessment just generally speaking which is interesting.”

Finally, again to be expected was the management of relationships and ongoing monitoring of all third parties and vendors, and moving towards oversight and management of 4th and 5th parties across the supply chain. Many institutions are looking to streamline their risk assessment and monitoring processes to ensure annual reviews of vendors. This again brings in many functions to align expectations, increased monitoring and oversight should bring institutions opportunities, by monitoring continual changes, new products and services become quickly available and efficiency can be increased. Many also mentioned automation of processes to again increase efficiency across the industry, this ties back to the original point of increasing alignment internally and driving a unified holistic platform.

“The theme is we are making great progress with risk assessment, we have improved them and we continue to, we are streamlining them, but that means that you have 364 days a year to fail so that was an approach that people were picking up on.”

“Also, the 4th, 5th, 6th party onwards, how extensive peoples programs are now from a governance point of view, because everyone always talks about your 3rd party risk, but what does that look like in practice, what are you doing about it, what does it look like for your risk reporting, that’s always interesting… some are managing up to something like 7th party risk so to see what degree that happens”

“What they are benchmarking a lot of the banks on are level of automation in this space, and perhaps the ability to do risk reporting appropriately. I think for most institutions people may be trying to do more ad hoc reporting and it is evolving to more of a continuous monitoring, but all of our organisations are so large and theoretically its all of the people in the first line functions that are managing relationships with vendors and contracts and all of that so contract compliance and governance I would assume is a challenge for us all and no one’s solved that!”

“There so many different touch points with third party risk within your organisation but there is no one pulling that together holistically. Then if you can pull all that together, you have an opportunity for your most critical, high risk vendors to do effective reporting for your senior management or have that lense and then out in first line.”

Overall, the vendor and third party risk landscape is evolving and maturing year on year, much of the current focus is around the evolution of the vendor professional and finding the expertise to manage the process effectively. Institutions are moving towards standardisation across the industry and maturing oversight and ongoing monitoring of vendors to ensure that they have a firm grasp on their activities. The process for many is limited by legacy systems and infrastructure making alignment, automation and holistic reviews difficult, as the industry moves forward many are looking to increase automation of the process and limit resources for strenuous questionnaires and assessments in the current format. We are seeing consortiums of institutions to enhance the assessment process and drive automation and efficiency, which looks set to continue as we look forward.

To delve in deeper on the above topics, the Center for Financial Professionals would like to invite you to join your peers at our upcoming 3rd Annual Vendor & Third Party Risk USA Congress, taking place June 5-6, NYC. Discuss the above challenges in far greater detail, hear the results of our global survey and network with like minded experts across two days.

You may also be interested in…