We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

ERM approach to vendor risk management

Vote 0 Votes

Great Wall of ChinaWhat the Great Wall of China can teach us about Vendor Risk Management

An vendor risk management approach is all about creating centralized standards that transcend business silos, which is very different from the approach taken in traditional vendor management software. Vendor management needs tools with a risk-based approach to overcome their difficulty of objectively putting the vendor compliance pieces together across legal, purchasing , security reviews, and accounts payable silos for contract renewals and new contracts. Too many controls and oversight are dedicated to addressing low-likelihood risks, leaving vendor management with inadequate time to identify and focus resources on the risks that matter the most.

History repeats itself. The Great Wall of China itself was never breached. However, during an inside job, a traitor opened a gate for invaders in a strategic Shanghai pass, leading to the downfall of the Ming Dynasty!

In today's terms, most companies perform rigorous vendor due diligence with penetration tests, SAEE 16 and insurance certifications, financial reviews, etc. More often than not, however, the vendor breach is through employee emails, data stored at homes or other poor operational controls that are not reviewed during the vendor due diligence process. The root cause risks need to be assessed in context of the business process that relies upon them to prioritize mitigation activities.

Ask yourself what part of your enterprise does not, in some way, depend upon a vendor and its products and services to run effectively. The big loser in not having a vendor risk management approach, beyond the vendor management function, are the business stakeholders. Count the hundreds of hours lost unnecessarily by teams performing compliance activities on low risk vendors and multiple of that number lost due to the delays of getting the key high value vendors they need in place to support their business because they are caught up in a low value compliance process. When you add up these opportunity costs, the disproportionate imbalance between risk and reward is staggering for a non-risk based approach.

ERM software supporting vendor management recognizes that due diligence of a contract renewal is a risk assessment, that the contract terms are risk mitigation activities for those risks and SLA's are just another name for risk monitoring activities. The ERM vs GRC approach uses risk assessment to tell you which clauses need to be added to your contract renewal and what monitoring activities need to go into place. A risk-based vendor management approach is more strategic by connecting the touch points between vendors and the business processes, risks, controls, monitoring, incidents and reporting that take place across the enterprise and their impact on the bottom line and corporate objectives.

By applying a common set of standards or risk assessment templates, ERM streamlines the communication, workflow, data collection and reporting on vendor management, compliance, purchasing, contracting, IT reviews and audit processes to reduce your overall time spent on these activities by 40-80% due to the unnecessary overlap and redundancies currently going on between these business silos. By collecting this information only once and using those relationships, an ERM approach turns all these activities into standardized libraries that can be used and reused over time without reinventing the wheel.

Resources should be allocated to the highest risk, not just another brick in an already overly reinforced wall.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives