vendor risk management vendor ecosystem

Technology, specialized skills sets and services, and speed of change are a few key factors driving organizations to engage vendors that result in better business outcomes. With today's ecosystem undergoing nearly continual change, vendor risk management is top of mind for leaders. AuditBoard’s Focus on the Future survey shows 65% of internal audit leaders cite supply chain, outsourcing and reliance on third parties as a top five risk.

The cloud transformation has many benefits, but it decentralizes critical data and pushes the defensive perimeter outside the organization, increasing the threat surface for cyber risk.
Richard Marcus, Vice President, Information Security at AuditBoard

As such, what are the processes your organization should enhance for vendors (e.g., third parties, and sub-processors) you rely on?

From a risk perspective, organizations are right to be concerned about their vendor ecosystem. There are many external factors driving the decision-making process for leaders in risk, legal, operations, finance and information security. External factors exist across all industries when assessing your vendor ecosystem.

One area that is top of mind for many organizations is regulatory scrutiny over vendors from or related to the following:

  • The U.S. Securities and Exchange Commission (SEC), particularly cybersecurity and environmental, social and governance (ESG) disclosures.
  • The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), and Treasury Interagency Guidance on Third-Party Relationships: Risk Management 2023 final guidance
  • The National Institute of Standards and Technology (NIST) CSF, 800-53 and SP 800-161, and The International Organization for Standardization (ISO) 27001-2 (vendor security and resiliency)
  • Payment card industry (PCI) DSS requirement 12.8 (vendor management)
  • Health Insurance Portability and Accountability Act (HIPAA) risk assessment over covered entities (including vendors)
  • The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) reporting

In addition, there are other risk considerations that drive evaluation of your extended enterprise. Organizations may be working through a major strategic change, preparing for merger and acquisition (M&A) activity, conducting initial public offering (IPO) due diligence procedures or transforming their technology stack to operate in the cloud. In each of these cases, there are risk factors that need to be considered with dedicated attention to your suite of vendors.

A garden of possibilities

When thinking about your extended enterprise; the makeup, processes, ongoing evaluation and diligence routines draw many parallels to evolving the ecosystem of a garden. Your vendor inventory is constantly changing, and with that change comes risk to the broader ecosystem. It is important to think about relevant and emerging risks before and after a new vendor is selected and onboarded. Below, we highlight components of a mature and healthy vendor program with consideration given to building a thriving garden.

This process is closely linked to selecting plants for a garden. You want the right mix of plants that can thrive in certain climates, grow alongside each other and meet the objectives of the garden. For your extended enterprise, it is important to consider the following:

  • Are vendors being sole sourced or is there a competitive bid process required?
  • Are vendors required to meet certain thresholds for delivery?
  • Do you have vendor relationships in your current ecosystem that can have services expanded to meet the objectives of your organization?
  • How well do the people, processes and technology integrate with your organization?
  • How well will a new vendor interact with existing vendors?

Answers to the questions above may serve as guiding principles in developing criteria for vendor selection. Once baseline questions are answered, organizations can layer in technical requirements, market data and other qualitative and quantitative criteria for a comprehensive view into up-front due diligence.

Planting something new in your garden is like onboarding a vendor into your organization. There are typically process requirements and activities needed to effectively and efficiently onboard a vendor. Organizations may have forms and enablers in place to streamline this process, ideally in efforts to expedite the approval process and shorten the supply chain cycle - a concept that seems impossible in post-pandemic days.

In planting something new in a garden, it is critical to perform activities at the right time of the year (as many plants are seasonal). Similarly, vendors may fit into a procurement or budgeting process that only happens during preferred windows of the fiscal year. You may not want to, for instance, be implementing a new cloud-based financial reporting system right before your annual public filings. Onboarding requires the right collaboration with cross-functional teams and potentially other service organizations you rely upon.

What mix of plants do you want in your garden? What purposes do they serve? Do certain fruits or vegetables thrive alongside others? Are there colors or flower types that make a garden more appealing to the public eye?

While these hypothetical gardening concepts relate to less serious impacts than in a vendor ecosystem, the questions remain important. How have tiers been established at your organization, if at all? Do you want to limit your exposure to ​sole-sourced​ or high-risk vendors or does your organization have a high tolerance for risk to support aggressive growth objectives? We see organizations that proactively manage their vendor tiering tend to lessen their exposure to risk in the supply chain. In re-assessing vendor tiers, you may be able to identify waste or duplicative service providers that help to control cost and/or maintain healthy competition. Building a tier structure that is right sized helps to refine the needs and requirements your organization depends upon.

As an offshoot to this concept, we see more mature organizations incorporate their vendor inventory into a single source of truth. Software systems exist to enhance this process and allow for consistent reporting and assessment as team members grow and change priorities over time. In addition, vendors can be better compared and utilized to complement the services of one another. With proper care and due diligence of your inventory, you enhance the benefits of your vendor management process.

Maintaining a healthy ecosystem involves weeding out risky elements, much like the actual weeding of a garden. Performing risk assessment activities helps to diversify the portfolio of vendors. By balancing the risk profiles of your vendors, leaders have the ability to more swiftly raise or lower the risk exposure of their vendor set. For example, if your organization has a low tolerance for accepting risky vendors, risk assessment results will weed out vendors that are introducing too much risk into the environment.

While your extended enterprise is only a component of a risk assessment, it has direct ties to financial, operational, reputational, regulatory, strategic and technological risk themes. It is important to maintain resiliency amongst your vendor inventory. By performing a risk assessment, you can more directly implement contingency planning and build out scenarios for moving processes in-house or shifting to alternative providers.

This is where regular care and management routines come into play. How often are you watering and feeding your plants? Similarly, what levels of due diligence are you performing for your vendors at different tiers? Typical assessment vehicles may include:

  • On-site assessments;
  • Invoking right to audit clauses;
  • Reviewing critical attestation reports (e.g., System and Organization Controls (SOC) 1® report, SOC 2® report);
  • Administering privacy and security questionnaires; and
  • Service level agreement (SLA) monitoring or testing.

The final concept of SLA monitoring or testing typically aligns to contract management and establishment of key performance indicators (KPIs) with your service organization. If there are key terms, commitments, or requirements in place for a vendor, those may be spelled out in contracts and should be subject to layers of testing or monitoring in a risk-proportionate manner.

Lastly, the process of adapting and transitioning your vendor ecosystem is like reassessing and rotating out plants in a garden. Many vendor management programs have standard processes for renewal, vendor offboarding or data transfer. In the case of customer information or data requirements, there may even be penalties an organization could be subject to. This only increases the importance of effective vendor offboarding processes.

It is typical to see many risks that impact the organization through the offboarding process. High-risk concepts, such as fraud, can come into play if offboarding is not completed effectively. Companies may expose themselves to fraudulent payments, separation of duties (SOD) concerns or other process integrity risks. When offboarding, requirements such as maintenance access and data migration need to be front and center for building a workflow that effectively manages vendor risk. Just because a contract term has ended does not mean a full purchase order (PO) balance has been cleared and payments are automatically cut off. Assessing these risky scenarios should be embedded through vendor offboarding as a means of responding to and managing risk.

Beyond the garden, additional considerations

According to industry threat studies like the Verizon DBIR, or the SANS Threat Report, the past year has seen a rise in breaches where the supply chain, or the third-party ecosystem was identified as the primary attack vector at the center of the breach. Organizations with large and mission critical third-party supplier networks, are learning it’s important to establish and test incident response plans with your key partners to ensure you are promptly informed and can properly mitigate any risk you may be exposed to by a breach impacting your third-party partner.

There are many governance, risk and compliance (GRC) platforms that help establish a single source of truth for your vendor ecosystem. Baker Tilly has strategic alliances with the likes of AuditBoard, who incorporate modules specifically dedicated to third-party risk management.

Many companies have established supply chains and/or procure to pay process and controls. In some cases, the processes and controls are documented in a robust manner. In other cases, organizations operate in an ad-hoc manner and require further fine tuning and governance development. In either case, Baker Tilly is skilled in designing control processes, assessing effectiveness and supporting the documentation of critical workflows for assessment of risk exposure.

Leading organizations are consistently operating tabletop exercises or other real-time training techniques that often dovetail into vendor risk. Considering ongoing training and support from the top-down assists in maturing an organization and building a more risk-aware culture.

Are you ready for a wellness check on your vendor ecosystem?

Based on the season, you may not be ready to brave the elements and start a new personal garden, but now is a great time to enhance the health and wellness of your extended enterprise.

Baker Tilly’s team of risk professionals understands both business process and cybersecurity risk concepts that are present across vendor ecosystems. Connect with our specialists to enhance and build out vendor management processes in a manner that is rightsized to your organization.

Mike Cullen
Jim Kearney
strategic role of internal audit
Next up

Adapt and overcome: The evolving strategic role of internal audit