Product’s Perspective:
True Risk: Why External Vendor Ratings are Only Half the Picture

From the perspective of our Product team, the challenges of risk and compliance professionals are at the forefront. This collaborative group of developers, designers, lawyers and risk managers uses those insights, along with rigorous R&D, to inform the way LogicManager works. It’s no question that they’ve got a lot to share, so we’ll be publishing these insights to our blog to help you make more informed business decisions.

In this blog post, Product gives their perspective on the concept of True Risk: the risk that your third party vendors really pose to your organization. How do you uncover it? What do most people overlook when assessing their vendor risks that leaves them in the dark? How does ERM software play a role in protecting your organization from True Risk? Keep reading to find out.

Trend Alert: The Automation of Third Party Risk Management

There’s never been a better time to be a vendor manager. The explosion of standardized, affordable, and accessible vendor information has made it dramatically easy to know which of your company’s vendors are financially, technically and operationally sound. Services are available to collect and review key vendor documents like contracts and SOC 2s, and they can even evaluate a vendor’s financial statements against its industry peers.

In addition to vendor data augmentation services, a number of standardized methods have emerged that aim to collect what kind of data is collected from third parties. Standardized questionnaires like those available from Shared Assessments, Cloud Security Alliance, and Center for Internet Security ensure that companies are collecting the right data about their vendors, and help speed up the collection of vendor due diligence by allowing vendors to reuse answers for all their customers.

Despite the proliferation of vendor evaluation services, the question remains whether companies are in fact better protected now that they can access so much information about their vendors. Companies have continued to fall victim to risk management failures stemming from third-party vulnerabilities. Only in the past month, vendor breaches resulted in the disclosure of patient data, affecting a number of Ohio healthcare systems; and a digital marketing and sales vendor for Volkswagen breached over 3 million records from customers and prospective buyers.

Bonus Material: Free Risk Assessment Template

True Risk: Why it’s Important

As a vendor or risk manager, it requires more than good data to protect your business from third-party risk. So what else should you be doing to help protect your business from disruption?

While there are countless strategies to help reduce vendor risk, the best thing a vendor manager can do is proactively uncover the True Risk their third parties pose to their organization. This vendor transparency helps you more effectively and efficiently mitigate third party risk.

A vendor’s True Risk depends not only on the characteristics of the vendor itself, but also on the specific way in which your organization interacts with the vendor. A presumably safe third party can pose a substantial risk if they are the sole provider of a key service, or if they have access to sensitive personally identifiable information.

Uncovering True Risk

To address these challenges, LogicManager’s True Risk calculation accounts for not only the standardized questionnaires and publicly available sets of financial, security and operational data, but also the references between your vendor and your key business services, your data, and your strategic priorities. This matrix of vendor references is called your vendor risk taxonomy, and it’s critical in obtaining an accurate understanding of vendor risk.

By automatically incorporating these data points into your vendor assessment, you’re provided a more accurate picture of which vendors are most critical to your business. It’s important to dedicate dramatically more of your time to managing high-risk relationships. How often has your organization negotiated the right to audit these vendors, only to let your audit rights go unexercised because of competing priorities? True Risk addresses this challenge and prevents the risk of misusing resources by focusing your program on what matters by providing a vendor’s risk in context.

Vendor risk management programs have more tools than ever before to prioritize their vendors, but priority should be derived from more than what can be pulled off the web. Your risk managers are experts in your business, and almost any amount of vendor risk is manageable with the right amount of time, resources and controls. It’s only by incorporating your unique business taxonomy into your vendor assessment that a true assessment of vendor risk can be obtained.

ERM software like LogicManager is built on a taxonomy framework that connects your people, processes and risks so you can understand upstream and downstream dependencies, detect trends early on and approach everything you do with risk top of mind. It provides the critical context to truly understand the True Risk of not only your vendors, but every element of your business.