How automation fixes the broken vendor risk process
Peter Pernebo, Managing Director, Global Head of Third Party Risk Management Solutions, KY3P, S&P Global Market Intelligence
Luke Nordlie, Executive Director and Global Head of Vendor Due Diligence, KY3P, S&P Global Market Intelligence
Below is an insight into what can be expected from Peter and Luke’s session at Vendor & Third Party Risk USA 2023.
The views and opinions expressed in this article are those of he thought leader as an individual, and are not attributed to CeFPro or any particular organization.
How can we manage vendors in an ever-changing regulatory environment?
There has been a fundamental shift in regulatory expectations requiring firms to not only comply, but also demonstrate the ability to embed policy outcomes in day-to-day operations. These expectations demand that firms stay ahead of the regulatory requirements for the industries and jurisdictions they operate in as regulators will examine their operations and assess the findings—if it’s determined the firm is not compliant, fines will be issued. To demonstrate this ability, firms need to take a “whole business” response approach.
Undertaking a “whole business” response approach may sound like a daunting task but can be managed by taking a few basic first steps. Start by addressing the fundamentals: establish a solid data strategy, determine ownership and understanding of key risks, along with an astute plan that allows the business to continue to operate throughout disruption.
Once you establish this baseline, make sure you stay on top of these efforts by leveraging:
- The regulators themselves. Regulators publish papers on regulations, coming regulations, as well as provide training opportunities.
- Industry communities—like CeFPro—where new trends and regulations are discussed in different forums and informally among peers in conferences.
- Solution providers and regulatory consultants that provide templates and consulting that includes new regulations, allowing you to automatically upgrade with their solutions as they adopt new regulations.
How can we stay ahead of the curve with broken vendor risk processes?
Regular vendor risk monitoring is integral to an organizations daily operation as regulations are constantly evolving to help identify potential risk vulnerabilities across third parties providing business-critical services.
In addition to not staying ahead on regulations, the biggest pitfall today is assessing a vendor’s risk once, typically as you onboard a new vendor, and then never again. Two distinct problems arise from this:
- The vendors an organization risk assessed once upon onboarding will not have the same financial and InfoSec position “forever.” Even if an organization’s process includes third party assessment refreshes on an annual basis, risk changes daily and it only takes one weak point for a breach to occur. Organizations need to include regular monitoring of their critical third parties to constantly stay ahead and develop mitigation strategies to combat those risks.
- Normally, the new vendor onboarding process correctly identifies the criticality of the provider and triggers the appropriate due diligence. But this process also excludes the low/medium risk population and if any monitoring and/or recertification takes place, then those are excluded since they were deemed out of scope at the initial assessment.A strong risk assessment program includes due diligence across all third parties onboarded into a business’ operations and mandates basic monitoring and oversight of all vendors, such as an annual profile review to confirm that the service is still low risk, that the supplier is still used, and simple monitoring of operations to ensure the third party remains compliant concerning required regulations.
Can big data be leveraged within vendor risk? What is its purpose?
Big data enables triangulation of information stemming from disparate sources, allowing it to form a more complete and consistent view of co-dependencies, thereby illuminating emerging risks.
Currently, there are many third party vendor risk organizations focusing on curating internally and externally sourced third party risk data separate of each other; while useful correlation of this data has been nonexistent. As third party risk data continues to become more robust and is growing in availability across more entities globally. What big data provides is services offering risk correlation solutions which support predictive analytics to gain a more comprehensive view of a third parties risk as a whole.
For example, a basic third party risk data solution sees declining financial and cyber control positions that by themselves would not have triggered concern. But when you use big data to pair those control positions together with additional control domains, it indicates that the supplier potentially is focusing less on IT—this comprehensive risk view should then warn organizations of the potential of breaches, lower service levels, more outages, etc.
What automation processes can be used within vendor risk to prevent broken processes?
As the vendor risk assessment process expands in complexity with more regulations, increases scope to include more vendors, and becomes a strong focus across industries beyond financial institutions, it is important to use technology to offload the burden placed on internal risk teams and programs. Effective programs cannot be operated on Excel and Outlook alone. Comprehensive risk solutions that utilize automations leverage the computational power of technology to execute and streamline process-heavy tasks and create space for qualified third party risk management staff to focus on key risks and judgements required by subject matter experts. These robust risk platforms that integrate vendor profiles, external data, workflow, and vendor collaboration can automate due diligence, allowing staff to focus on real risks and develop their risk strategy—and not managing an increasingly intensive and large risk management process.