So… 2020, am I right? While I’m never an advocate of wishing time away, I think many people are eagerly awaiting that ball drop on December 31, so they can finally say goodbye to the extremity of this year. Unlike most new years, we may be more focused on getting back what we once had, as opposed to striving for more change. If nothing else, 2020 has provided for some deep introspection, and a rare opportunity to value things we never thought we would have to go without.
As a risk manager, many of us are humbled by the events of this last year. We’re supposed to see into the future and prevent unfavorable outcomes. Chances are, at some level (if not many), we missed things. And now, even knowing the probability of anything like this happening again in the foreseeable future, we’re tightening up on every possible control associated with pandemic planning, remote work, financial assessments, excess spending, business continuity practices and impact analysis — the list goes on. Next global pandemic? We’re going to be ready…
We won’t soon forget what it felt like to have our world turned upside down. So, as we strive to regain some sense of normalcy, it's a good time to hone in on the things we've always done with a new sense of focus and appreciation. Instead of finding ways to change and accomplish new goals in 2021, perhaps we should focus on the basics, and strive to do what we’ve always done… but better.
One problem we have in vendor risk or third-party risk management is getting everyone to understand why we’re important. We send out questionnaires, add red tape to our colleagues’ initiatives, add slides to the already exhausted executive decks, and all too often, we’re only seen as a burden. But now, more than ever, it should be clear that understanding where and how we lean on other organizations is imperative. Maybe we didn’t take enough time in the past to reach out to our leaders and ask for that extra voice in supporting our risk program. Carve out some time to put together that internal training presentation you’ve always been meaning to do. You may find that a little effort can go a long way in gaining some much-needed support for your program.
Risk management is a whole lot of information gathering, assessments and data tracking. We maintain a massive amount of data, and unfortunately, the reports on that data often miss the mark. Whether it be because the right data is not captured or poorly maintained, or if the valuable information you capture never leaves the database, start making sure your metrics matter. Try to connect with leaders and stakeholders on a level that they can relate to. Talk about their vendors with insight into real risk and mitigation efforts and use these connections to give insight into the wealth of knowledge you have at your fingertips.
But executives and business owners are not the only areas that need vendor risk information. Information security, business continuity, security, privacy, compliance and legal, respectively, all need to understand the pertinent data that is gathered from vendor assessments. Which brings me to my next goal…
It can be all too easy for a third-party risk management team to get bogged down in the details of assessments, due diligence, risk ratings and executive reporting, that they fail to communicate with other teams that tie into their process. As I said before, this information is extremely valuable.
Here’s a few critical communication examples:
Communication is how you assure the fabric of your organization remains tight, despite heavily outsourced engagements.
Finally, and this is a big one that never gets enough attention, make sure your process won’t fail if any single person were to leave. If 2020 has taught us anything, its that nothing is for certain. Our health and wellbeing are volatile. The stability of our employment and organizations can be put into question at any time, and while I don’t recommend living in fear or uncertainty, it’s wise to prioritize simple measures that assure the show goes on if a cast member doesn’t show.
Here are a few tips to avoid bottlenecks and failure points:
Everyone wants to feel invaluable. But everyone also needs to be able to take a vacation without feeling guilty. If you’re someone who needs to be at work at all times to prevent some sort of collapse, talk about it, ideally with your manager or business continuity team.
It’s often difficult to take the time for “process enhancements” when we’re saturated in simply doing what must be done. But if we a little motivation for resolutions in 2021, lets stick to the basics, and the big picture. Take a step back. Like a mechanic listening to an engine trying to find out what’s ticking, find those things you’ve always known could use a little elbow grease. There are always little things we can do to make the big picture a better one.
Wishing you all a safe, happy, healthy and *predictable* new year!
Dive deeper into how to master vendor management. Download the eBook.