According to the Opus and Ponemon 2018 report, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is higher at 61 percent. Also noted that many breaches go undetected: 22 percent of respondents admit they didn’t know if they had a third-party data breach in the past 12 months. A third-party breach costs, on average, twice what a normal breach cost.
We covered the Major Breaches and Bankruptcy in Part I, and Part II and III were about the Drivers, Alignment, and Governance of Third-Party Risk Management (TPRM). The series will cover the following topics at a high level to provide sufficient knowledge for professionals to design the program that commensurates with the size, nature, and objectives of the organization. It explores the topics below:
- Drivers of Risk Management
- Alignment and Governance
- Categorizing Vendors
- Analyzing Vendor Risks
- Monitoring Vendor Risks: The Vendor Management Organization
- Communicating Vendor Risks
- Optimization and Standards
Many organizations are not aware but intellectual property (IP) breaches can be a recipe for bankruptcy.
The vendor categorization helps in determining the focus of risk management efforts based on the business value vendor delivers and how critical is vendor contribution in achieving business objectives. The strategic vendor, for example, represents significant client spending, a high cost to switch, and is expected to deliver a high level of business value. Hence all vendors do not require the same level of scrutiny for risk management.
In order to prioritize the risks to be monitored, it is essential to segment the vendors. The chart below provides information about different factors that help categorize vendors. The publications by Forrester, Gartner, ISACA, and other professional organizations provide questionnaires to assist in categorizing vendors based on their criticality to business objectives.
|Current Expenditure||High||Medium or High||Low to Medium||Low to High|
|Future Expected Spending||High to Medium||Medium to High||Medium to High||Low to High|
|Breadth of Product or Service/Dependency||High||High||Low to Medium||Low|
It is essential to manage the relationship with vendors based on the risk it poses to the organization’s objectives. Below is brief about the different categories of the vendors:
- Strategic vendors: They critical to meet the business objectives of the organization, represent high client spending and a high cost to switch.
- Legacy vendors: They are essential to meet the business objectives of the organization but not critical thought they represent a likely high level of spending and high cost to switch.
- Emerging vendors: These vendors essentially could become strategic in the future as they provide innovative features but at present represent a relatively low level of spending and less cost to switch.
- Tactical vendors: These vendors are not critical to meeting business objectives and represent low cost.
The classification vendors will also help the organization to develop and implement controls to reduce the risk. The business continuity will take into consideration the risks associated with strategic vendors in its continuity planning and risk resiliency program.
In Part II we discussed Drivers of Risk Management. Part III is about Alignment and Governance. The four very important considerations for TPRM governance are:
- Alignment of customer and providers goals
- A comprehensive inventory of third parties
- Accountability for oversight and the overall management of your TPRM Program
- Clearly defined roles and responsibilities across the organization
In Part V we will cover the next topic “Analyzing Vendor Risks.”