Vendor Risk Management: Third-Party Risk Analysis / Annual Review

Andrew Paull
Oct 8, 2020 2:00:00 PM

We live in a world where our interactions with each other are generally benign, observed to be candid at face value, making it easy to take the assurances of success, functionality, and capability of our colleagues and acquaintances as they are meant. Unfortunately, business interactions cannot always be held to the same standard. While the intention of every business relationship is expected to be transparent, it should be approached with optimistic caution, a grain of salt if you will. When it comes to enacting a partnership that may result in a long-term engagement, it is best to take the “trust, but verify” approach to establishing a new third-party implementation. No vendor or partner should ever be onboarded without establishing a thorough vetting process to identify their potential risks to business operations, public perception, or information and technologies. It is okay to believe, or want to believe what has been expressed by a third party about its offerings and operational history, but too often enterprises fall victim to lengthy contractual agreements that result in poorly managed service offerings or even security catastrophe simply due to a lack of periodic review and historical background investigation. Let us examine.

Identifying the Need

Often times when a need arises, organizations will look to outsourcing certain operational activities to a qualified provider. This can be as simple as implementing a third-party cloud provider to handle data hosting online or outsourcing all IT operations to a vendor who will provide the staff and experience to complete all potential or required IT tasks. The specific reasons for outsourcing vary by organization, but it all boils down to cost and resources. This may seem obvious, but when making the decision to onboard an external provider to perform business functions, it is important not to go with the first provider that responds to an RFP or appears to satisfy the requested functions. The best plan is to line up several providers with offerings which suit the current need and begin a risk assessment process that incorporates a standardized questionnaire, document collection requirements, and historical background investigation to identify any potential areas of concern to help make the most informed decision.

Performing the Analysis

When vetting and reviewing the history of a potential third-party service provider, in addition to the business’ capability to provide the requested services, cost, availability, etc, we generally add focused attention on the prospect’s security incident response history. Many organizations have, at one time or another, fallen victim to a security breach, minor or severe. This should not automatically disqualify them from consideration. In fact, many times, assessing the processes and techniques by which a third-party service provider has responded to security events in the past can help establish expectations of the business relationship and shed light on how they may respond in the future. A business that has never had to deal with significant security events may not have the experience or operational facilities and governance to respond or mitigate a wide range of threats. Most response procedures are adapted from real world experiences and updated when an event occurs to include lessons learned. This is not to say that either situation is preferable; only that appropriate consideration is made when analyzing a service provider to meet the needs of the organization.

Making the Selection

It is likely that the analysis will result in multiple potential service providers that meet the functional requests of an RFP. By this point, the organization is well informed on each prospect and a decision must be made to onboard a service provider. This process will involve internal discussions on the viability of a particular option, length of potential contracts, and the consideration of any major changes the provider may implement or incur to technological infrastructure, public relations, financial stability, and resources due to regulatory changes, geopolitical events, market fluctuations, and emerging threats. Once a provider is chosen, appropriate responsibilities and contract length terms need to be documented and acknowledged by both parties and an agreement must be signed. A review of this agreement should be performed at least annually or when the contract terminates/is renewed. When renewing an agreement, the same considerations from the original service provider analysis should be incorporated and updated which will inform future requirements.

Overall, the third-party service provider analysis and review process can be quite time consuming and include logistical provisions but should not impede the organization’s normal operations. If there are time constraints on selecting a service provider, a rule of thumb is to select the best option from all operational perspectives and reassess at an appropriate time in the future. An organization should always be aware of its own operational requirements and prioritize them when vetting a third party-service provider, even if it means changing providers at a later date or altering original agreements. Feel free to contact us to further discuss your unique vendor risk management situation!

You May Also Like

These Stories on Vendor Management

Subscribe by Email

No Comments Yet

Let us know what you think