Welcome to Integrade and thanks for subscribing to us. Its our constant endeavor to bring to you the best of the world of Enterprise Governance Risk and Compliance(eGRC). In this edition of the newsletter, we try to focus on vendor risk management/Third party Risk management and how we can help in making sure your organization has in place a robust vendor/third-party risk management program.
There is rarely any organization that does not outsource some of its work to the other organizations. These other organizations are varyingly called vendors, Third parties, Third party service providers or strategic alliance partners. The organization’s focus on their core functions leaving the non – work to the vendors. They do this to improve revenues or for other strategic reasons. With time, each organization becomes a specialist in their respective areas.
The Vendor – Vendee relationship have spurred the economic growth across boundaries in sort of chain reaction fashion, it helped in out sourcing work to developing countries such as India, Bangladesh, Mexico, etc. The Indian city Bengaluru is called the silicon city of India for sheer number of multinational companies setting up their branches. In a way this model of business has been a boon to the developing parts of the world. The kind of integration the parent organizations have developed with allied companies has also grown out of proportion. Take for instance, the automobile industry- the integration automobile manufactures have cemented today with manufacturers of tyres, glass, electronics that are allies of automobiles leaves one in astonishment as there is direct tickle down effect if there are up’s and downs. During Economic crisis, the low sales of the automobiles will show an immediate effect on the employment and sales revenue at manufacturers of tires and glasses. This kind if integration that almost every industry is witnessing because of the nature of the outsourced work.
Of late, the vendors have grown to the size of parent organizations and more that if you will. This setting invites questions such as the impact on the performance of parent organizations with respect to performance of vendors, the reputation of the parent organization with respect to that of vendors. In true sense these are directly related forcing the parent organizations to constantly monitor the vendors. The above discussion has been purely on the operations/revenue per se but there is a risk angle that has been emerging from the recent couple of decades.
To put in other words, in the erstwhile industrial revolution era, it was more on the operations that the parent organizations used to be wary of so that their manufacturing cycle doesn’t slow down. But in the current digital era, the organizations need to monitor many more areas such as information security, technological capabilities, financial security, and the other strategic factors when employing the vendors. In any of the above factors that the vendor faults, will cause enormous damage to the organization. The bigger the organization, the riskier it is to deal with vendors owing to the most important factor – “Reputation” that is at stake.
There have been innumerable number of cases where the reputation of the companies vanished within no time because of the acts of their vendors whether intentional or unintentional. Major companies such as best buy, Sears, Delta Airlines, Target, Discover, American Express and Capital one have all faced the burn of vendors. There have been instances of sensitive information of the customers such as SSN Numbers, Credit card details, email Address etc. that was made public. These organizations were pulled into legal quagmires as a result of outrage of the public, the old adage ‘Prevention is better than cure’ stands very much relevant in these cases.
The above discussion points us to the next question of the responsibility and accountability of monitoring these vendors for any signals that lead to unintentional consequences at the parent organizations. Towards this effort, the government of some countries steeped in by regulating some crucial industries such as finance and health care with respect to how they deal with their vendors. In the US for instance, Office of the controller of currency (OCC) – an independent bureau within the united states department of treasury, Consumer Finance Protection Board (CFPB), Federal Deposit insurance cooperation (FDIC) have provided guidance on how to manage the risks emerging from the vendors. These are built on the principle that activities can be out sourced but responsibilities cannot. It is just not moral responsibility of organizations that are in scope to follow these guidelines but it is obligatory. Any deviance invites penalties, deeper scrutiny by the way of audits, restricting the activities of the companies if it gets worse.
To Avoid any of the above issues with regulators, we at Integrade offer simple, reliable, Cost effective solutions for Third Party Risk Management. Our services include consulting- comprising of designing from scratch the policies based on the applicable regulations pertaining to the industry of the client, designing process flows with control embedded, defining roles and responsibilities, designing risk and due diligence assessments, setting up contracting processes, appropriate dashboards, notifications and access control mechanism. Maintaining a catalog of all the third parties, categorizing their parties based on the risk posed to the parent organization, assessing these vendors periodically for risks, ability to have proper contracts in place, ability to severe ties with third parties without hassles, reporting the results to higher management periodically and to auditors when needed form the key to build a robust plan. We also implement these process flows in latest technological platforms such as RSA Archer smart suite. RSA Archer’s ready to use eGRC use cases such as Third-Party Governance provide out of box artifacts that form the basis of the Third Party Risk Management Solution.
We also provide Managed Services for organizations willing to manage/update their existing Third-party Risk Management Solutions with our 24×7 support solutions to clients across the globe. With a unique delivery model, it can be assured that your organization can focus on its core strengths and leave the management of third-party risk management to us.
For more information, please reach out to us at Email: Sales@integradesolutions.com
We are Happy to Help!
“To build persuvasive security across that third-party ecosystem, you not only need to know who those third parties are and what they are doing for you”
-Edna Conway