Proper vendor risk management means following up and following through the entire vendor assessment process. If you are just getting started with vendor risk management, we recommend that you start with our Vendor Risk Program blog.
This particular blog addresses post-assessment strategies on dealing with vendor issues and gaps. But first, we must address what is considered a gap or an issue. Really, anything that you define and expect from your vendors can be a gap or an issue, but more explicitly, it should be tied to a written service level agreement or contractual requirement to make the issues enforceable.
During the assessment of a vendor, almost all vendors will answer questions in some way that are not 100% up to par or satisfactory. The answers provided by your vendors can lead to known “issues or gaps.” Many organizations start by using Standardized Information Gathering (SIG) questionnaires. However, the most sophisticated vendor management teams use a question-based approach on vendor risk profiles or vendor services delivering specific questions. This is a way to make sure that you are asking the most applicable questions versus generic questions that often lead to unresolvable vendor issues.
The standardized questions may offer efficiencies while sacrificing effectiveness and more often lead to frustration on both sides — the vendor and the organization. For example, you might want to consider using a cloud-based supplier with cloud-based risk management questions versus generic questions. Consider localization of questions as well, if your vendor has fourth parties – consider fourth party risk management within your scheme of developing remediations.
The Issue Management Process
The below graphic depicts generic issues in the management process between an organization and a vendor. There are two primary players in the process:
– The Organization
– The Vendor
First, the organization is responsible for conducting the assessment, reviewing all responses, and identifying issues for the vendor. The organization is also responsible for reviewing and maintaining any remediation planning issues ultimately leading to reducing its own risk and impact to business operations.
The vendor is responsible for creating and responding to remediation efforts along with employing reasonable measures to reduce risk to their customers (or organization).
Step 1: The Issues
The issues are generated by the organization. Issues should be categorized and linked to specific, contractual requirements or else it can become difficult to enforce these issues. Download our vendor issue management kit to help you organize vendor issue data. Be sure to list issues that are specific and actionable versus general. Don’t make your vendors guess what you want them to do or they should be doing.
Step 2. Drafting Remediation
Your vendor is, ultimately, responsible for authoring remediation plans and efforts required. Remediation planning should be actionable and specific to the issue and within scope of the services you are providing for the organization.
Step 3. Review & Accept the Remediation Plan
Your vendor will submit the remediation planning to you. However, it is up to the organization to accept if the plan, per issue, is specific and leads to a lower risk for your organization. Focus on what specific actions would lead to lowering negative impact to your organization in a cyber event. Remediation planning can be long and stretched out if conducted improperly. Focus on the most important versus standardized questions that may not fit the service that your vendor is delivering.
Step 4. Execution & Implementation
This phase is managed and completed by the vendor with oversight and tracking provided by the organization. The vendor should complete all actions required to lower their impact to the organization. Implementation can take a while, so the organization needs to follow-up and a maintain a schedule of completion of activities. Remember, vendor management is all about following up and following through the entire process and making sure that plans are put in place to protect both the vendor and the organization.
Step 5. Closing
The assessment is only formally closed after all issues have been resolved and the organizational risk appetite level has been met. The vendor may never know what the organization’s appetite for risk is; however, it is important to remember the intent of this whole assessment is to lower the amount of risk a vendor poses to the organization. Most often, standardized assessments can miss the entire intent of the process. Don’t standardize your process — make it fit your specific needs.
Click Here to Download our Vendor Risk Issue Management Kit.