The Case for Decentralized Third-Party Risk Management

Vendor management reared its head as a repetitive annoyance in the form of required periodic updates to templates and acquisition of required vendor-provided documents to ensure that all boxes could be, or remain checked. Aside from the validation of the vendor’s performance, to which the business owner’s success is tethered, much of the vendor management effort existed outside the business owner’s areas of expertise.

This is because vendor management is a collective exercise. It is the assembly of opinions on a horizontal plane from the village of subject matter experts who operate within most organizations in their own vertically oriented fiefdoms. The business owner was just one of many opinions with a less-than-dominant role.

The new order of things in Vendor Risk Management

The struggle with centralized vendor management has always been staffing. By consolidating the required review steps and practices, an organization could control the program, and present to any auditor or regulator the discipline and authority exercised in managing vendor documentation. But it required a lot of manpower if domiciled in the hands of the few.

Now that we are in the midst of a ‘black swan’ event, managing documentation is trivial, as compared to having engagement and line of sight to the providers who enable your business to function on a weekly, daily and maybe even hourly basis. We now need the many to be engaged and empowered.

There is definition of first-line and second-line of defense in risk models. Vendor management cannot possibly accept and take on both defense roles simultaneously. The definitional first line of defense, the business owners who actually know and are responsible for the business model, must be engaged. It is likely now apparent that your business may depend on it.

A new focus

A new focus has emerged. Is there adequate staffing available for my vendor to operate and provide services to our company? How does the changed staff residency and connectivity of the vendor’s operations alter the information security risk exposure? How do we need to redefine essential services? Do contracts need revisions? Do we have adequate SLAs and options to exit (as defined for Financial Institutions within the FFIEC Examination Handbook Appendix J over five years ago)?

How do policies and procedures need to change with the vendor and within our organization to accept a changing risk tolerance? Is anyone concerned over vendor concentration risk now that there are country-wide lockdowns and viral hotspots? How is cybersecurity exposure and vendor resiliency being monitored and validated?

These are the questions that need to be answered, versus simply does your vendor have an audit bridge letter for last year’s SOC report. Business owners now have more skin in the game. And vendor management organizations need to concede and ensure delegated responsibility for this critical business process to business owners; no longer defining themselves alone as centrally positioned to placate regulatory requirements. Third-party risk is real – and is no longer a hobby.