Top Industries That Need To Up Their Vendor Risk Assessment Game

Upstream compliance, cyberthreats, geographical location, financial assets, and reputation are five of the top vendor risks most organizations face. But different industries also face vendor risks challenges that are unique to their business sector. For example, the healthcare industry has HIPAA regulations it must follow, and the insurance industry is subject to reporting and auditing standards from various state regulators. 

When investigating vendors, many companies focus on what they offer and whether it will help them work better and faster. Few conduct a thorough security assessment that's needed to ensure that third-party vendor systems won’t open up holes in their own security or introduce new threats into their network.

At ComplyScore, we have successfully helped companies in a variety of industries assess and manage their vendor risks. Based on our experience, these five top industries must up their vendor risk assessment game now to ensure their vendors’ security standards are as robust as the ones they have in place themselves.

Entertainment

The entertainment industry uses many third-party vendors but has no mandated vendor risk regulations it must meet. The industry must initiate vendor risk assessments on its own. While vendor risk management is important to all entertainment businesses, video game companies face enterprise-specific challenges from practices such as outsourcing production elements to countries that represent higher security risks. Comprehensive risk assessment can help the industry avoid expensive litigation while preserving reputation and stakeholder value.

Insurance

The insurance industry has long outsourced business processes and utilized third-party software solutions. Regulators like the OIG, OCC, FFIED, CFPB, and others require insurance companies to identify possible third-party risks, verify the vendors they do business with are compliant, and regularly monitor changes that may create new risks. A risk assessment platform helps automate risk rating and reduce the amount of time spent managing vendor risk.

Healthcare

Most healthcare organizations have a strategy in place to comply with the Health Insurance Portability & Accountability Act (HIPAA) but with each new technology and practice, fresh risks abound. Third-party risks cost the healthcare industry nearly $24 billion per year and many providers are hard-pressed to adequately assess and understand the risks their vendors pose. A cloud-based platform and end-to-end vendor risk assessment managed services can help meet each provider’s unique needs and ensure compliance requirements are met.

Financial Services

A favorite target for cybercriminals, the financial services sector must continuously monitor third-party risk, adopt policies that go beyond regulatory compliance, and devise an organization-wide approach to vendor risk management. From deciding whether a vendor is a good fit to establishing a cybersecurity culture, a broad vendor risk assessment process protects critical financial and PCI data and helps organizations avoid catastrophic breaches.

Pharma

Pharmaceutical, biotechnology, and medical device companies face many regulatory compliance requirements related to areas like trial designs, geographic location, and/or specific expertise. Geographic expansion is a particular challenge the life sciences industry faces, as is meeting anti-bribery regulations. An advanced 3rd party assessment solution streamlines the vendor assessment process while ensuring analytic consistency and significantly reducing overhead.

Third-party vendors are a risky necessity that can be made safer by using a cloud-based risk assessment solution and vendor risk assessment managed services. ComplyScore’s CyberScore is designed to help top industries manage third-party relationships in accordance with increased and expansive regulatory expectations while mitigating the risks posed by third-party vendors throughout the lifecycle of the relationship.

This blog was originally posted on https://complyscore.com/blog/top-industries-that-need-to-up-their-vendor-risk-assessment-game/

Key Elements of Comprehensive Vendor Governance Program

Contracting the right vendors, monitoring their performance, and managing associated risks—they all pose significant challenges that too many organizations are still ill-equipped to deal with. In today’s uncertain business environment, a comprehensive vendor governance program is more important than ever for helping businesses cope with increasing risk levels and other vendor governance concerns.

These key elements will make your organization’s vendor governance program as thorough and effective as possible.

Build the Team

Choosing the right vendors to work with can be difficult and many organizations still trust their gut when going with one vendor over another, continuing with an existing vendor for the sake of familiarity. Metrics and data help you make more educated vendor selection decisions.

Research Vendors

Before creating a vendor governance program you need to research and identify who your vendors are. Keep in mind that a “vendor” is any third-party, associate, or contractor your organization does business with.

Other critical components of the vendor governance process include:

- Obtaining pricing quotes and/or bids

- Establishing vendor capabilities

- Researching turnaround times and quality of work

Careful Contract Negotiation

“Standard” vendor contracts come with potential risks and costs. In organizations with a high volume of third-party vendors, some contract details may get overlooked. All contracts should be carefully scrutinized and negotiated to make sure they:

- Adhere to industry best practices

- Are mutually beneficial

After all the hard work of research and contract negotiation, it makes sense to monitor and manage vendor performance. Performance incentives should be considered, KPIs established, and penalties defined.

Collaboration and Transparency

Frequent collaboration helps vendors understand what they need to do to meet your organization’s goals. So, too, does mutual transparency which lets vendors know not only when they’re not meeting expectations, but when they’ve done a good job. In order to make sure any established compliance procedures and checks are not being missed, vendors should regularly update you on changes to their processes as well. All disputes should be swiftly addressed and resolved to facilitate a strong relationship.

Financial Matters

Clear terms of invoicing and payments should be established upfront and should be structured to your organization’s benefit. A dispute resolution process should be put in place and terms should be regularly reviewed to optimize cash flow.

Risk Management and Compliance

It’s important to know when any of your vendors pose a risk to your organization. While there’s no one-size-fits-all solution to third-party risk management, two factors are crucial to any vendor governance program:

- Identify risks using assessments. Data-driven reports let you know how well a vendor is performing and whether they’re meeting their contractual obligations.

- Mitigate risk by applying the right controls. Internal and external controls ensure contract terms are performed accurately and efficiently and that issues are flagged before they become huge problems. They also give you greater confidence in data security, minimize fallout from breaches, and allow for business continuity.

Develop Long-Term Vendor Relationships

To fulfill organizational missions and goals, it’s almost always advantageous to work with good third-party vendors in a long-term, mutually beneficial way.

Whether your goal is cost savings, improved vendor delivery, procedural standardization, or a combination of all three, the right vendor governance program goes beyond essential procurement functions to deliver strategic value. It also brings transparency to vendor evaluation and selection and helps ensure the way you select third parties to work with is based on value, not sentiment or habit.

ComplyScore offers comprehensive vendor governance solutions that simplify the entire vendor management process including risk assessment, due diligence, and contract performance tracking. We’re committed to providing you with the expertise, technology, and processes you need to transform your vendor management strategy, enhance security, and mitigate compliance risks. Contact us to learn how we can add value to your vendor governance program.

This blog was originally posted on https://complyscore.com/blog/key-elements-of-comprehensive-vendor-governance-program/

Risk Remediation and Tracking by ComplyScore: How We Do It ?

Risk remediation is a crucial part of the vendor risk assessment cycle. If incorrectly executed, it will dilute and diminish the effort put into the assessment. A detailed and relevant questionnaire, a thoroughly executed assessment, is a wonderful precursor to mitigation tracking.

At ComplyScore, we have been performing almost 3,000 assessments annually. Our vast experience providing it vendor management services and performing assessments across various industries and working with vendors globally has given us a good perspective on how to effectively track risk remediation. I will be sharing my insights and best practices implemented by us in the following sections.

All clients have different policies and guidelines which must be followed when handling company data. Thus, ComplyScore risk assessments and mitigation tasks vary depending on the client. Slight variations to the assessment don’t change the way one should follow up with a mitigation task. After an assessment is reviewed, a gap report or mitigation plan is sent to either the client or vendor contact. The amount of time allotted to respond depends on the inherent risk of the vendor, the severity of the gap and the policies of the client  It is always preferred to have the ability to track mitigation tasks automatically as the more assessments you need to track, the harder it becomes to track it manually.

Working with Vendors for Mitigation

Gaps & mitigation tasks must be first confirmed by the vendors. Allowing the vendor to clarify mitigation tasks is an important step in the process as well. There are compensating controls that may cancel out the mitigation task. Typically, we offer 2 weeks to the vendor to do the same. We see that 2-3 follow-ups are required before the vendors confirm.

An automated process helps. We send an email before the expiry of 2 weeks that the mitigation tasks would be assumed to be accepted if not confirmed within the allocated time. This evokes a quick response. Within a week of that email, we see a spike in acceptance or clarification of mitigation tasks. Mitigation tasks that are high risk should be closed quickly. For a tier 2 vendor, ComplyScore provides a due date of 60 days for high-risk findings, the medium should be closed out in 90 days and low risk 120 days.

Tracking all communications in one place is critical. Tracking clarifications, adjustments to impact, or any other aspect of the mitigation task must be captured online. Emails or phone calls do not provide the audit trail that is required in the future.  Also, negotiating on completion date is common. Smaller companies tend to think they are the exception to the rule because they have fewer employees or work from their home. Of course, exceptions can be made after reviewing all factors and ensuring that the company data will be protected. We do not expect everyone to have an ISO or SOC2 Type 2 report like larger companies. Still, things like multi-factor authentication, which is not determined by the size of your company, can be expected at a minimum.

Periodic communication with the vendor is key. ComplyScore sends out email reminders at the midpoint of the task and close to the completion date. While these reminders are critical, what we have found is that a personal email following up on these emails, or even a phone call, helps keep the vendors focused on the tasks.

Once the tasks are closed, vendors must upload supporting documents or present the documents in an online meeting.  Besides sending automated email reminders, setting up such meetings is also very important. The more the human touch, the higher the rate of response. While these add extra efforts, the return is high.

Overall, I feel that managing mitigations are as critical as conducting assessments, and consistent communication is the key to get the tasks completed on time and result in a successful it vendor risk management outcome. Contact us to learn more about our vendor management solutions.

This blog was originally posted on https://complyscore.com/blog/risk-remediation/

Supply Chain Risk Management

What is SCRM?  

Supply Chain Risk Management is “the implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.”

 Supply Chain Management is an essential part of vendor governance, and involves the entire life cycle from procuring the raw materials required for a product until it reaches the consumer. Supply chain management consists of identifying the vendors involved in producing a finished product and the risk these vendors pose to the entire chain. While sourcing, contract management, and supplier management are some of the critical elements of SCM, in this article, I will focus on vendor risk management.  

A supplier’s risk to the supply chain cannot be conducted in isolation but needs to be conducted along with cyber risk, financial, reputational, legal, risks. For example, a supplier with weak cyber operational controls will pose a significant risk for the entire chain. Supplier management needs to be meticulous, thorough, data-driven, and also include a list of back up suppliers to minimize the impact in the event of a disruption.  

Today, almost all organizations rely on hundreds if not thousands of suppliers across all areas to function. In many cases, the overwhelming volume of suppliers and the massive load of data associated with them, are some of the reasons for organizations to defer looking into starting the process of supplier management. 

At ComplyScore, as a vendor risk management company, we have helped multiple companies reduce their supplier risk by implementing industry best practices. I have listed a few of them below. 

1. Information– The more information you have, the better!

Have a complete inventory of all the suppliers your organization uses. Do not just focus on your tier 1 suppliers. You need to have details on your tier 2&3 too. Also, have a backup list of suppliers you can use in case of a disruption of service from your current supplier. Not having a list as well as a backup list puts you at a disadvantage from the get-go 

2.  Inherent Risk on each supplier–  

First, assess the “impact” of the vendor across multiple areas. These areas are: 

      a. Financial Impact 

What will be the monetary impact on your business if the supplier is unable to deliver due to any reason? E.g., Bankruptcy? 

     b. Operations impact 

Will a delay/disruption from a particular vendor affect your production directly and indirectly? 

    c. Legal Impact 

Will, there be a legal impact, and how much will it be a lawsuit if the supplier does not comply with regulations? 

   d. Information Security impact 

Does business with a particular supplier put your security posture at risk?  

   e. Reputation impact 

Will, the goodwill and reputation of your organization, be impacted by doing business with the supplier 

   f. Assess the sensitivity of the supplier‘s failures across internal & external factors: 

• Examples of external factors include 

1. Liquidity – A highly leveraged supplier will be very sensitive to liquidity 
2. Geographical disruption – Social, political or environmental disturbances 

• Examples of internal factors include 

1. Compliance culture 
2. Process maturity 

Meticulously designed supplier risk assessments are needed to adequately assess the risk and its impact on your organization’s security posture. 

 3. Putting it together –  

• Create risk appetite policies 

• Establish inherent risk scoring of the suppliers 

• Establish sensitivity of the supplier to external factors which predict the risk of failure  

• Create a heat map of Likelihood and Impact of failure 

• Establish mitigation strategies for each quadrant 

4. Monitor the risk  

              a. Monitor the supplier‘s metrics 

• Establish proxy indicators & metrics. For example, delivery performance is an excellent measure of capacity & process maturity.  
• Correlation between these metrics (additional below) and the supplier risk are critical to managing risk proactively. Continuous monitoring of the vendor will alert you at the very beginning of disruption.

Having a third party vendor risk management software will help you monitor the risk factors on an on-going basis. 

              b. Monitor the external factors 

• tools like Risk Pulse, Resilience 360, Stat Weather will help your staff to take precautionary actions. Similarly, tools like Geoquant will keep you informed on the political situations around the world. This is particularly helpful as in today’s world, a single organization runs on the materials and help coming from all over the world.  

c.  Based on which factors are turning red, activate the mitigation plan. While the overall plan seems broad, creating the quadrants help focus on areas of high impact and high likelihood. Service providers like Complyscore will help you put these risks together.

This blog was originally posted on https://complyscore.com/blog/supply-chain-risk-management/