Vendor Risk Management: Often overlooked Component

Vendor risk management, also know as “supply chain, risk management” in the past was focused on working with suppliers to address issues, such as capacity, pricing, and logistics. A few years back, vendor cyber risk was often an overlooked component of corporate risk management strategy. This has changed over the years due to regulatory factors (Vendor Governance Regulations) but also to aid in controlling and limiting corporate cyber incidents, which most can cause a financial impact to the organization.Consider the classic “beer game”: often used to simulate common supply chain issues taught by supply chain professionals to demonstrate importance of efficiencies in logistics, capacity planning, and ultimately leading to a client working closely with their suppliers to de-risk their investment. The beer game was developed by MIT in 1950s to illustrate difficulty of managing dynamic systems. The dynamic system being a supply chain that delivers beer from a brewery to the end customer.

The beer game highlights the utmost importance of a trusted supplier relationship required to dominate the market. The “working together” can come in be in the form of data exchange agreements using:

  • EDI Gateways
  • Co-developed training
  • Other activities aimed at efficiently delivering the best product for the best price into the market

These are important and fundamental supply chain concepts that are often overlooked and are not considered to be critical by cybersecurity vendor risk professionals. However, the intent of these classical concepts and new cyber concerns share the same goal — which is to de-risk the supply chain to ensure delivery of services and goods is of high quality.

Our view of third party, fourth party, and fifth party risk management is focused on de-risking your supply chain through collaboration so that the war on cyber threats can be fought together as a collective. Vendor audit fatigue is one of the chief complaints of vendors and business alike conducting audits and going through the audit. Audit fatigue can be reduced by taking a more empathetic solution development & deployment approach towards your vendors to ensure that risk management from their side is not just a checklist but a real value builder in the business relationship.