1 / 37

Risk & the Enterprise: Managing Vendor Risk

Risk & the Enterprise: Managing Vendor Risk. Chris McClean Principal Analyst, Research Director. Risk Management is maturing and expanding in the enterprise. GRC spans across many teams. At your organization, who is responsible for the day-to-day coordination of your GRC program?.

cedric
Download Presentation

Risk & the Enterprise: Managing Vendor Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk & the Enterprise: Managing Vendor Risk Chris McClean Principal Analyst, Research Director

  2. Risk Management is maturing and expanding in the enterprise

  3. GRC spans across many teams At your organization, who is responsible for the day-to-day coordination of your GRC program? Base: 53 global GRC decision-makers Source: Forrester’s Online GRC TechRadar Customer Reference Survey, Q3 2012

  4. Involves a number of stakeholders At your organization, who is responsible for the overall success of your GRC program? Base: 53 global GRC decision-makers Source: Forrester’s Online GRC TechRadar Customer Reference Survey, Q3 2012

  5. Customer use cases are diverse… Which of the following functions do you use the product for? Please select all that apply Base: 121 Customer references for the Enterprise and IT GRC Platforms Waves, Q4 2011 Source: Forrester’s Q2 2011 Global Governance, Risk, And Compliance Platforms Wave Customer Reference Online Survey

  6. …but they haven’t changed much. Which of the following functions do you use the product for? Please select all that apply Base: 69 Customer references for the Enterprise GRC Platforms Wave, Q3 2009 Base: 121 Customer references for the Enterprise and IT GRC Platforms Waves, Q4 2011

  7. Businesses continue to extend beyond their boundaries . . .

  8. . . . but they don’t always look at their structural support .

  9. Build a broad risk taxonomy 9

  10. Build a broad risk taxonomy 10

  11. Build a broad risk taxonomy 11

  12. Build a broad risk taxonomy 12

  13. Build a broad risk taxonomy 13

  14. Build a broad risk taxonomy 14

  15. Formalize risk processes to leverage opportunities.

  16. Case study: device manufacturer CONTEXT: Understood need for security/risk involvement in vetting partner relationships and providing ongoing security oversight APPROACH: Security team is involved in procurement process, conducting mini-assessments to determine whether a more detailed evaluation is warranted. The goal is to establish the same baseline level of security among partners as expected for internal systems. Based on assessments, security will offer recommendation for remediation and/or reassessments. RESULTS: Clear agreement that business process owners own the risk and make the decision whether to accept, avoid, mitigate, etc. Security gets involved for higher-risk vendors (e.g., those that come on-site).

  17. Case study: large global bank CONTEXT: Clear need to improve oversight of risk-related to third-party relationships, standardize risk measurement, and compliance assessments. APPROACH: Simplify initial assessments . . . 15 straightforward (primarily yes/no) questions to determine potential categories and estimated level of impact. Lighten risk requirements for low-impact vendors, choose from among 10 in-depth risk assessments for high-impact vendors where appropriate (viability, privacy, BC/DR, financial controls, etc.) RESULTS: Easier participation from vendor management and business. Better alignment with vendor performance data, metrics, processes, and decisions.

  18. Recommendations  • Be very clear about the different types of third party risk you’re tracking, and who has responsibility for each.  • Create triggers to make sure risk and compliance efforts occur reliably within standard vendor relationship processes.  • Consider ways to open up communication with and among vendors about trends, patterns, best practices, etc.

  19. Chris McClean cmcclean@forrester.com

  20. Third-party Assurance — Case Studies

  21. Global Financial Institution Challenge • 2,000 vendors and internal assets • Assurance activities in silos • Manual assessment tools • Automated, efficient, multi-tier process • Aligned, focused evaluation tools • Assessment coordination and schedule management • Issue and remediation tracking Solution • High program rating from external regulator • Management control of assurance process • Easy visibility of vendor risk rankings • Reduction in vendor assessment time and effort • Reusable assessment tools and patterns • Third-party satisfaction with streamlined process Results

  22. Global Technology Services Company Challenge • Financial risk exposure due to contract non-performance • Objective evaluation of third-party contract risk • Develop standardized risk taxonomy and rating levels • Catalog of rated risks • Contract risk evaluation built into review process • Management of contract review documentation • Management reporting of gaps and regulatory non-compliance Solution • Reduced incidence of errors in previously manual process • Process-based exception triggers and alerts • Enhanced control of contract review documentation • Real-time access to contract performance and compliance status • Common risk repository for use throughout the organization Results

  23. Third-party Assurance — Tools

  24. Common Risk Framework • Consistent taxonomy • Risk categories • Risk responsibility

  25. Vendor Impact Visibility • Systems • Business process • Facilities • Regulations • Standards …

  26. A Common Business Language • Consistency of reference • De-facto authoritative sources • Easy global access • Alignment with other enterprise systems Screenshot: Application Hierarchy

  27. Multiple Assessment Types • Questionnaire • Analyst findings • Controls testing Screenshot: Findings Report

  28. Vendor Rankings • Assessment results • Risk ratings • Risk categories Screenshot: Vendor Risk Report by Rating with Categories

  29. Issues and Remediation • In-context creation • Responsibility assignment • Collaboration dialog • Resolution tracking • Local and global reporting

  30. Third-party Assurance — Process

  31. Focus on High-Risk • Multi-step process — effective and efficient • Funnel to the risky few • Screen out low-risk entities • Benefits • Confident control of high-risk relationships • Elimination of redundant, unnecessary work • Additional subjective evaluation • Detailed scoring • Controls testing • Remediation

  32. Full Relationship Lifecycle • New third-party relationships • Ongoing third-party relationships Resolve Issues Assess Monitor

  33. Triggers for Action • Process-based • Exception-based • Alerts • Metric changes • Business change • Acquisitions

  34. Program Alignment • Coherent third party interaction • Coordinated scheduling • Non-redundant evaluation tools • Shared evaluation results • Integrated risk picture • Coordination with internal asset reviews

  35. Collaboration • Third-party access • Self-assessments • Issues • Remediation • Documentation • Regulatory access Screenshot: Vendor Specific Issues Report

  36. Staged Deployment • Incremental • Incorporate departments one at a time • Go global gradually • Benefits • Immediate return • On-the-ground learning • Evolving optimization

  37. For Additional Questions: Lewis Venezia Director of Sales, Risk Management Solutions (978) 451-7671 lewis.venezia@processunity.com

More Related