At Alyne we've put a lot of thought into how successful Vendor Governance can be setup and what aspects should be included in vendor assurance.
In our blog series exploring the topic of Vendor Governance we started out analysing current challenges and today’s state of vendor risk management and continued in defining requirements from a business and solution perspective to meet these challenges. These are our thoughts on setting up Vendor Governance.
- Enable business self service
Make a solution available to the business to raise their service request easily and provide necessary information to kick off the process with minimal interaction requirement throughout the process by the business. Multiple interactions with spreadsheets will increase the probability of the business circumventing a process perceived as too tedious.
- Triage early
Gather sufficient data to be able to triage vendors early and determine risk category and necessary involvement of further SMEs. The earlier these determinations can be made, the less delays are to be expected along the further process.
- Engage SMEs in parallel
Make sure the system can engage multiple people in parallel to avoid serial processing through involved departments. The triage process should automatically notify the required people.
- Run smart assessments
We recommend covering the initial risk assessment to be a self assessment. We have analysed successful assessment methodology on our blog previously.
- Make risk data available for informed decisions
Ensure the solution provides sufficient risk information for all involved parties with automated processing and interpretation of the raw assessment data to enable informed decisions by the stakeholders. Avoiding multiple data sets and assessments per vendor and stakeholder is key to keeping complexity manageable.
- Document risk decisions
Document all risk decisions aligned with the risk information gathered. The solution should provide a sufficient audit trail from initial vendor contact to risk acceptance or service refusal. This will be a focus point for regulators in case of an incident.
- Track vendors for regular assessment
The final step of successful vendor governance entails tracking all contracted vendors and ensuring they are subject to regular assessments with the frequency dependent on the risk exposure to the organisation.
Deciding what to assess
Once you have setup your Vendor Governance solution and processes, the question remains what to assess at your vendors. Some regulation makes general requirements such as data privacy that states technical and organisational protection measures in quite broad terms. Here are some of the decisions you will be facing:
- Depth vs. risk insight
Many questionnaires we have come across feature both detailed and open questions. You may for example read “describe your access governance approach for people joining the organisation”. This may appear to create depth of analysis, however the risk insight from potential responses will be difficult to analyse. Our recommendation is to ask multiple very specific questions and deduct risk insights from combined answers.
- Audit fatigue vs. diligence
Often times vendors or internal stakeholders will be suffering from significant audit fatigue, as they are consistently confronted with assessments. On the other hand, your objective is to enable maximum risk transparency. Requiring too many data points from an exhausted source will not lead to better data quality, but reducing the data points too much will impact the risk insight. At Alyne we have tried to make responding as easy as possible and believe that between 60 - 100 data points can be gathered at scale using our method. Tailoring the number of questions to the risk exposure is a further method to match assessment depth to risk exposure.
- Control design vs. control effectiveness
As auditors you typically separate the testing of control design from control effectiveness. We have applied different techniques to addressing this. If your are following a multi-stage assessment approach, you want to start with basic control design questions in a short assessment. If the control design testing reveals potential gaps, a more detailed assessment testing control effectiveness can be added. We typically define a mixture of both in our recommended control sets to provide a balanced view of the current maturity.
We hope that our blog series has provided additional insights into our views on Vendor Governance and helped you evaluate your current approach and provide inspiration for next steps. We will be continuously providing more insight into Alyne’s capabilities for Vendor Governance and look forward to feedback from our customers and the risk management community.