Vendor risk: Due diligence, scaling, analysis, and ongoing oversight

Vendor risk: Due diligence, scaling, analysis, and ongoing oversight

By Marc Lotti, Partner, ACA Aponix and Jeff Rowley, Principal Consultant, ACA Aponix

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I’ve been managing vendor risk for close to ten years and have supported firms ranging from Fortune 25 banks to midsized Private Equity and Hedge Funds.  I’ve seen vendor regulations act as a force function on the industry, mandating the evolution of vendor risk from “signing a contract and sticking it in a desk drawer” to highly rigorous and audited programs.

What, for you, are the benefits of attending a conference like Vendor & Third Party Risk USA 2019 and what can attendees expect to learn from your session?

The goal of our presentation is to promote the exchange ideas among the moderators and audience.  We’re all facing the same issues; collaboration among peers is a great way to leap-frog ahead to the next generation of risk management.

In your opinion, how can the industry look to develop their management of due diligence processes?

Due diligence is a balance between a client’s need to validate vendor information and the vendor’s appetite to answering RFPs that resemble a novel.  Common sense will always prevail.  Understand the risk of an outsourced service and focus on the essential risk elements when diligencing your vendor.

What are the key considerations that need to be made when scaling third party risk management programs?

In addition to managing fluctuating staff levels with contractors, the key consideration is effective management reports to understand execution status, both from a delivery and risk perspective.

Why is the ongoing monitoring of vendor risk so important and how can oversight be developed to increase efficiency and effectiveness?

We’ve seen cases where a vendor passed several audits in January and was breached in June.  The root case was modified operating controls due to gaps in production change control processes.

Ongoing monitoring is the best way to understand the current risk status of your vendor portfolio.  The most effective programs allow for monitoring to flex based on business criticality and vendor maturity. Monitoring for a critical vendor may initially begin at a one-year frequency.  However, after vendors have proven they meet all requirements, you may want to relax the frequency.

How do you see the management of vendor and third party risk evolving over the next 6-12 months?

Better information about your vendors will drive more effective management.  Most of my clients don’t have a full understanding of the services provided or the inherent risk.  A better understanding of the relationship will allow the client to focus on the most critical risk controls

vendor & third party risk usa series