1 / 0

Risk & the Enterprise: Managing Vendor Risk

Risk & the Enterprise: Managing Vendor Risk. Chris McClean Principal Analyst, Research Director. Risk Management is maturing and expanding in the enterprise. GRC spans across many teams. At your organization, who is responsible for the day-to-day coordination of your GRC program?.

jalena
Download Presentation

Risk & the Enterprise: Managing Vendor Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk & the Enterprise: Managing Vendor Risk

    Chris McClean Principal Analyst, Research Director
  2. Risk Management is maturing and expanding in the enterprise
  3. GRC spans across many teams At your organization, who is responsible for the day-to-day coordination of your GRC program? Base: 53 global GRC decision-makers Source: Forrester’s Online GRC TechRadar Customer Reference Survey, Q3 2012
  4. Involves a number of stakeholders At your organization, who is responsible for the overall success of your GRC program? Base: 53 global GRC decision-makers Source: Forrester’s Online GRC TechRadar Customer Reference Survey, Q3 2012
  5. Customer use cases are diverse… Which of the following functions do you use the product for? Please select all that apply Base: 121 Customer references for the Enterprise and IT GRC Platforms Waves, Q4 2011 Source: Forrester’s Q2 2011 Global Governance, Risk, And Compliance Platforms Wave Customer Reference Online Survey
  6. …but they haven’t changed much. Which of the following functions do you use the product for? Please select all that apply Base: 69 Customer references for the Enterprise GRC Platforms Wave, Q3 2009 Base: 121 Customer references for the Enterprise and IT GRC Platforms Waves, Q4 2011
  7. Businesses continue to extend beyond their boundaries . . .
  8. . . . but they don’t always look at their structural support .
  9. Build a broad risk taxonomy 9
  10. Build a broad risk taxonomy 10
  11. Build a broad risk taxonomy 11
  12. Build a broad risk taxonomy 12
  13. Build a broad risk taxonomy 13
  14. Build a broad risk taxonomy 14
  15. Formalize risk processes to leverage opportunities.
  16. Case study: device manufacturer CONTEXT: Understood need for security/risk involvement in vetting partner relationships and providing ongoing security oversight APPROACH: Security team is involved in procurement process, conducting mini-assessments to determine whether a more detailed evaluation is warranted. The goal is to establish the same baseline level of security among partners as expected for internal systems. Based on assessments, security will offer recommendation for remediation and/or reassessments. RESULTS: Clear agreement that business process owners own the risk and make the decision whether to accept, avoid, mitigate, etc. Security gets involved for higher-risk vendors (e.g., those that come on-site).
  17. Case study: large global bank CONTEXT: Clear need to improve oversight of risk-related to third-party relationships, standardize risk measurement, and compliance assessments. APPROACH: Simplify initial assessments . . . 15 straightforward (primarily yes/no) questions to determine potential categories and estimated level of impact. Lighten risk requirements for low-impact vendors, choose from among 10 in-depth risk assessments for high-impact vendors where appropriate (viability, privacy, BC/DR, financial controls, etc.) RESULTS: Easier participation from vendor management and business. Better alignment with vendor performance data, metrics, processes, and decisions.
  18. Recommendations  Be very clear about the different types of third party risk you’re tracking, and who has responsibility for each.  Create triggers to make sure risk and compliance efforts occur reliably within standard vendor relationship processes.  Consider ways to open up communication with and among vendors about trends, patterns, best practices, etc.
  19. Chris McClean cmcclean@forrester.com

  20. Third-party Assurance — Case Studies

  21. Global Financial Institution Challenge 2,000 vendors and internal assets Assurance activities in silos Manual assessment tools Automated, efficient, multi-tier process Aligned, focused evaluation tools Assessment coordination and schedule management Issue and remediation tracking Solution High program rating from external regulator Management control of assurance process Easy visibility of vendor risk rankings Reduction in vendor assessment time and effort Reusable assessment tools and patterns Third-party satisfaction with streamlined process Results
  22. Global Technology Services Company Challenge Financial risk exposure due to contract non-performance Objective evaluation of third-party contract risk Develop standardized risk taxonomy and rating levels Catalog of rated risks Contract risk evaluation built into review process Management of contract review documentation Management reporting of gaps and regulatory non-compliance Solution Reduced incidence of errors in previously manual process Process-based exception triggers and alerts Enhanced control of contract review documentation Real-time access to contract performance and compliance status Common risk repository for use throughout the organization Results

  23. Third-party Assurance — Tools

  24. Common Risk Framework Consistent taxonomy Risk categories Risk responsibility
  25. Vendor Impact Visibility Systems Business process Facilities Regulations Standards …
  26. A Common Business Language Consistency of reference De-facto authoritative sources Easy global access Alignment with other enterprise systems Screenshot: Application Hierarchy
  27. Multiple Assessment Types Questionnaire Analyst findings Controls testing Screenshot: Findings Report
  28. Vendor Rankings Assessment results Risk ratings Risk categories Screenshot: Vendor Risk Report by Rating with Categories
  29. Issues and Remediation In-context creation Responsibility assignment Collaboration dialog Resolution tracking Local and global reporting

  30. Third-party Assurance — Process

  31. Focus on High-Risk Multi-step process — effective and efficient Funnel to the risky few Screen out low-risk entities Benefits Confident control of high-risk relationships Elimination of redundant, unnecessary work Additional subjective evaluation Detailed scoring Controls testing Remediation
  32. Full Relationship Lifecycle New third-party relationships Ongoing third-party relationships Resolve Issues Assess Monitor
  33. Triggers for Action Process-based Exception-based Alerts Metric changes Business change Acquisitions
  34. Program Alignment Coherent third party interaction Coordinated scheduling Non-redundant evaluation tools Shared evaluation results Integrated risk picture Coordination with internal asset reviews
  35. Collaboration Third-party access Self-assessments Issues Remediation Documentation Regulatory access Screenshot: Vendor Specific Issues Report
  36. Staged Deployment Incremental Incorporate departments one at a time Go global gradually Benefits Immediate return On-the-ground learning Evolving optimization
  37. For Additional Questions: Lewis Venezia Director of Sales, Risk Management Solutions (978) 451-7671 lewis.venezia@processunity.com
More Related