So… 2020, am I right? While I’m never an advocate of wishing time away, I think many people are eagerly awaiting that ball drop on December 31, so they can finally say goodbye to the extremity of this year. Unlike most new years, we may be more focused on getting back what we once had, as opposed to striving for more change. If nothing else, 2020 has provided for some deep introspection, and a rare opportunity to value things we never thought we would have to go without.
As a risk manager, many of us are humbled by the events of this last year. We’re supposed to see into the future and prevent unfavorable outcomes. Chances are, at some level (if not many), we missed things. And now, even knowing the probability of anything like this happening again in the foreseeable future, we’re tightening up on every possible control associated with pandemic planning, remote work, financial assessments, excess spending, business continuity practices and impact analysis — the list goes on. Next global pandemic? We’re going to be ready…
We won’t soon forget what it felt like to have our world turned upside down. So, as we strive to regain some sense of normalcy, it's a good time to hone in on the things we've always done with a new sense of focus and appreciation. Instead of finding ways to change and accomplish new goals in 2021, perhaps we should focus on the basics, and strive to do what we’ve always done… but better.
4 Vendor Risk Management Resolutions for 2021
Here are 4 things I know would be great places to focus on improving in 2021:
1. Advocate the importance of your program.
One problem we have in vendor risk or third-party risk management is getting everyone to understand why we’re important. We send out questionnaires, add red tape to our colleagues’ initiatives, add slides to the already exhausted executive decks, and all too often, we’re only seen as a burden. But now, more than ever, it should be clear that understanding where and how we lean on other organizations is imperative. Maybe we didn’t take enough time in the past to reach out to our leaders and ask for that extra voice in supporting our risk program. Carve out some time to put together that internal training presentation you’ve always been meaning to do. You may find that a little effort can go a long way in gaining some much-needed support for your program.
2. Put your metrics where they matter.
Risk management is a whole lot of information gathering, assessments and data tracking. We maintain a massive amount of data, and unfortunately, the reports on that data often miss the mark. Whether it be because the right data is not captured or poorly maintained, or if the valuable information you capture never leaves the database, start making sure your metrics matter. Try to connect with leaders and stakeholders on a level that they can relate to. Talk about their vendors with insight into real risk and mitigation efforts and use these connections to give insight into the wealth of knowledge you have at your fingertips.
But executives and business owners are not the only areas that need vendor risk information. Information security, business continuity, security, privacy, compliance and legal, respectively, all need to understand the pertinent data that is gathered from vendor assessments. Which brings me to my next goal…
3. Open key lines of communication.
It can be all too easy for a third-party risk management team to get bogged down in the details of assessments, due diligence, risk ratings and executive reporting, that they fail to communicate with other teams that tie into their process. As I said before, this information is extremely valuable.
Here’s a few critical communication examples:
- Business Continuity/Disaster Recovery. Any data gathered that pertains to the operational reliance on a vendor should be communicated, in some way, to your internal business continuity and disaster recovery teams, and considered in a business impact analysis.
- Business Owners. Any time you reach a stalemate with a vendor who’s failing to meet the minimum contract standards required should be brought to legal for consideration in contract negotiation. If you have vendors that need to maintain compliance with certain regulations, your internal compliance team should also know about it, and have a means to validate it.
- Legal. If the vendor is in breach of their contract by not providing adequate information OR if they are not providing what is necessary because the contract doesn't require them to, the matter should be brought to legal to either address the breach of agreement or to negotiate an amendment.
- Infosec. Any time a VPN is setup for information sharing, sensitive content is sent via email or otherwise, an application requires integration or download onto your network, etc., you should reach out to your friends in IT. Whether its security, infrastructure, project management, IS governance or the CISO themselves – communicate. This is how you assure the fabric of your organization remains tight, despite heavily outsourced engagements.
- Compliance. If you have vendors that need to maintain compliance with certain regulations, your internal compliance team should also know about it, and have a means to validate it.
Communication is how you assure the fabric of your organization remains tight, despite heavily outsourced engagements.
4. Eliminate single points of failure.
Finally, and this is a big one that never gets enough attention, make sure your process won’t fail if any single person were to leave. If 2020 has taught us anything, its that nothing is for certain. Our health and wellbeing are volatile. The stability of our employment and organizations can be put into question at any time, and while I don’t recommend living in fear or uncertainty, it’s wise to prioritize simple measures that assure the show goes on if a cast member doesn’t show.
Here are a few tips to avoid bottlenecks and failure points:
- Cross-train different functions
- Maintain good procedures
- Dedicate time to train other departments about what you do
- Take good (or GREAT) notes
- Keep your saved information organized
Everyone wants to feel invaluable. But everyone also needs to be able to take a vacation without feeling guilty. If you’re someone who needs to be at work at all times to prevent some sort of collapse, talk about it, ideally with your manager or business continuity team.
It’s often difficult to take the time for “process enhancements” when we’re saturated in simply doing what must be done. But if we a little motivation for resolutions in 2021, lets stick to the basics, and the big picture. Take a step back. Like a mechanic listening to an engine trying to find out what’s ticking, find those things you’ve always known could use a little elbow grease. There are always little things we can do to make the big picture a better one.
Wishing you all a safe, happy, healthy and *predictable* new year!
Dive deeper into how to master vendor management. Download the eBook.