What the Great Wall of China can teach us about Vendor Risk Management
An vendor risk management approach is all about creating centralized standards that transcend business silos, which is very different from the approach taken in traditional vendor management software. Vendor management needs tools with a risk-based approach to overcome their difficulty of objectively putting the vendor compliance pieces together across legal, purchasing , security reviews, and accounts payable silos for contract renewals and new contracts. Too many controls and oversight are dedicated to addressing low-likelihood risks, leaving vendor management with inadequate time to identify and focus resources on the risks that matter the most.
History repeats itself. The Great Wall of China itself was never breached. However, during an inside job, a traitor opened a gate for invaders in a strategic Shanghai pass, leading to the downfall of the Ming Dynasty!
In today's terms, most companies perform rigorous vendor due diligence with penetration tests, SAEE 16 and insurance certifications, financial reviews, etc. More often than not, however, the vendor breach is through employee emails, data stored at homes or other poor operational controls that are not reviewed during the vendor due diligence process. The root cause risks need to be assessed in context of the business process that relies upon them to prioritize mitigation activities.
Ask yourself what part of your enterprise does not, in some way, depend upon a vendor and its products and services to run effectively. The big loser in not having a vendor risk management approach, beyond the vendor management function, are the business stakeholders. Count the hundreds of hours lost unnecessarily by teams performing compliance activities on low risk vendors and multiple of that number lost due to the delays of getting the key high value vendors they need in place to support their business because they are caught up in a low value compliance process. When you add up these opportunity costs, the disproportionate imbalance between risk and reward is staggering for a non-risk based approach.
ERM software supporting vendor management recognizes that due diligence of a contract renewal is a risk assessment, that the contract terms are risk mitigation activities for those risks and SLA's are just another name for risk monitoring activities. The ERM vs GRC approach uses risk assessment to tell you which clauses need to be added to your contract renewal and what monitoring activities need to go into place. A risk-based vendor management approach is more strategic by connecting the touch points between vendors and the business processes, risks, controls, monitoring, incidents and reporting that take place across the enterprise and their impact on the bottom line and corporate objectives.
By applying a common set of standards or risk assessment templates, ERM streamlines the communication, workflow, data collection and reporting on vendor management, compliance, purchasing, contracting, IT reviews and audit processes to reduce your overall time spent on these activities by 40-80% due to the unnecessary overlap and redundancies currently going on between these business silos. By collecting this information only once and using those relationships, an ERM approach turns all these activities into standardized libraries that can be used and reused over time without reinventing the wheel.
Resources should be allocated to the highest risk, not just another brick in an already overly reinforced wall.