What can the Great Wall of China teach us about vendor risk management?
An vendor risk management approach is all about creating centralized standards that transcend business silos which is very different than the approach taken in traditional vendor management software.
Vendor management needs tools with a risk-based approach to overcome their difficulty of objectively putting the vendor compliance pieces together across legal, purchasing , security reviews, and accounts payable silos for contract renewals and new contracts. Too many controls and oversight are dedicated to address low likelihood risks, leaving vendor management with not enough time to identify and focus resources on the risks that matter the most.
History repeats itself. The Great Wall of China itself was never breached. However, a gate at a strategic Shanhai pass was opened for the invaders as an inside job by a traitor, which led to the downfall of the Ming Dynasty!
In today's terms, most companies perform rigorous vendor due diligence with penetration tests, SAEE 16 and insurance certifications, financial reviews, etc. More often then not however, the vendor breach is through employee emails, data stored at homes or other poor operational controls that are not reviewed during the vendor due diligence process. The root cause risks needs to be assessed in context of the business process that relies upon it to prioritize mitigation activities.
Ask yourself what part of your enterprise does not in some way depend upon a vendor and its products and services to run effectively? The big losers in not having a vendor risk management approach, beyond the vendor management function, are the business stakeholders. Count the hundreds of hours lost unnecessarily by teams performing compliance activities on low-risk vendors and the multiple of that number lost due to the delays of getting the key high-value vendors they need in place to support their business because they are caught up in a low-value compliance process. When you add up these opportunity costs, the disproportionate imbalance between risk and reward is staggering for a non-risk based approach.
ERM software supporting vendor management recognizes that due diligence of a contract renewal is a risk assessment, that the contract terms are risk mitigation activities for those risks and SLAs are just another name for risk monitoring activities. The ERM vs GRC approach uses risk assessment to tell you which clauses need to be added to your contract renewal and what monitoring activities need to go into place. A risk-based vendor management approach can be more strategic by connecting the touch points between vendors and the business processes, risks, controls, monitoring, incidents and reporting that take place across the enterprise and their impact on the bottom line and corporate objectives.
By applying a common set of standards or risk assessment templates, ERM streamlines the communication, workflow, data collection and reporting on vendor management, compliance, purchasing, contracting, IT reviews and audit processes to reduce your overall time spent on these activities by 40-80% due to the unnecessary overlap and redundancies currently going on between these business silos. By collecting this information only once and using those relationships, an ERM approach turns all these activities into standardized libraries that can be used and reused over time without reinventing the wheel.
Resources should be allocated to the highest risk, not just another brick in an already overly reinforced wall.