Vendor governance is gaining a lot of attention as one of the top drivers for cyber risk to organisations and a very significant contributor to overall operational risk - especially if you are a financial institution.
The Alyne founders have been observing this trend and have always had this specific use case in mind when designing Alyne. We would like to elaborate on some of our thinking around Vendor Governance over the next few weeks in our blog. In this first part, I would like to explore what we think is wrong with Vendor Governance processes today and why requirements are changing. Finally we would like to offer some predictions for the future as well.
What’s wrong today?
At Alyne, we have observed organisations of all sizes and industries tackle this challenge and we have identified some common patterns. The obvious approach taken by most organisations is to provide assurance on a sample of vendors, as the cost of full coverage is prohibitive. Of course, this is a common practice across most assurance processes, however assuming there is a correlation between an issue at one vendor and the reliability of another vendor is a stretch. Essentially, a sample based approach means accepting no risk transparency for the majority of your vendors.
From a business perspective, processes are similarly unsatisfying. It’s not uncommon for a business stakeholder to raise the need for new services and need months to be able to actually procure the service due to Vendor Governance processes. Involving multiple deciders serially (e.g. Data Privacy, Security, Procurement, Risk Management) prolongs the process significantly.
Our final observation is the abundance of spreadsheets that still dominate processes in this space. Usually this approach started out being sufficient, but quickly outgrew its useful capacity. Often this leads to high cost and time to execute per vendor, combined with a shortage of skilled resources to interpret the data and perform the on site assessments. In summary, Vendor Governance falls short of providing the desired value in most cases.
The problem is not going away
There are multiple sources of regulation that are increasing requirements and scrutiny on vendor governance. First and foremost in the European Union, the new Data Privacy Law (GDPR) is coming into effect and requires organisations to remain accountable for data being processed on their behalf through third parties. In the financial sector, multiple regulators including the BaFin in Germany and the Hong Kong Monetary Authority are increasing their focus on outsourcing governance and requiring these risks to be managed more closely. We believe these regulatory requirements are the result of consumers demanding a higher level of accountability for the processing of their data and higher awareness for breaches.
The increased focus on Vendor Governance is not only externally triggered. We believe organisations are identifying an increase in - at least perceived - risk through their vendors. Executives are now increasingly demanding a higher level of risk transparency and assurance over vendors in order to ensure supply chains, client data and other information assets are not at risk.
Financial services institutions have a further incentive to quantify their vendor risk. Elevated or intransparent operational risk is leading to significant capital requirements, with vendor risk being a considerable contributor.
For organisations of all industries, vendor risk is rapidly becoming a challenge requiring a structured approach that is no longer optional.
Where is all of this leading?
We believe this trend of increased requirements for vendor governance will continue for a number of reasons: With the rollout of the new European Privacy law (GDPR), all organisations in Europe and all organisations with business in Europe will be affected by Vendor Governance requirements. That alone is a huge number of organisations. Beyond the regulatory component, businesses will likely only increase the number of services they contract in their value chain as they specialise their own services. With more complex vendor networks, vendor risk increases. We furthermore anticipate the trend of business departments getting in the driver seat for procuring services as opposed to IT departments providing these services by proxy to continue. This in turn increases the need for more structure in internal Vendor Governance processes.
These are some of the observations we made that led us to think about what a smart solution for Vendor Governance might look like. We hope you will join us for our next blog post exploring specific business requirements for a successful Vendor Governance program.