Here are our top 5 tips for rolling out a successful third-party risk management programme:
1. Start with the end in mind
The modern supply chain is complex and integrated. Vendors often provide multiple services to multiple users in different regions. They occupy different positions in the supply chain. Different business functions and regions will have different ways of measuring security maturity. It is critical to plan effectively:
- Segment Your supply chain - firstly, identify the population of suppliers that are most critical from an assessment perspective. Segment them by the criticality of their services, their security maturity, or their priority to the business. Consider any procurement programmes or audit findings that are relevant.
- Establish your measures - Your goals will determine both what you want to measure and what you can measure. As the old saying goes, “Vision without execution is hallucination” and whether your goal is risk reduction, productivity, agility, or digitisation you need to be able to track your progress. However, to achieve real integration with the business you need to measure indicators that matter to them and communicate with them in terms they will understand and appreciate.
- Identify your stakeholders - This may be one of the most important decisions that you make in the design of your VRM programme. What is it that you are trying to do? A successful VRM programme requires help from the people who own the relationships with the suppliers and own/use their services. Many (most?) changes programmes have failed due to lack of buy-in.
2. Collaboration is king
Supplier Confidence is a subjective concept, and hard to define or predict. Some people are confident because they are unaware of or assume adequate security. Others will demand evidence to give them confirmed or explicit confidence. Many will rely on inferred confidence, by looking to others for confirmation. It is possible to balance these different confidence levels through collaboration. A team can achieve a common assessment of risks if everyone can see, challenge, and debate the same evidence. This enables an organisation to achieve a unity of purpose and intent. Project owners across the business can own their risks, make local decisions, and drive forward initiatives. Likewise, central assurance functions can see the risks, challenge them, and help reduce risk where necessary.
3. It is not supposed to hurt
Make it easy for the supplier and they will make it easy for you - the old approach of spreadsheets has high inertia and is unpopular. There are many ways to make assessment intuitive, flexible, and user friendly. This encourages greater participation from suppliers. Adaptive questioning in assessments, the ability to farm out parts of the assessment to different stakeholders within the supplier, behavioural psychology within the structure of the assessment, and automated measurement of responses can all be used to improve participation and should be things that you should ask whoever is providing your assessment process. Explaining to suppliers the importance of the role they play in your business will improve buy in from the start and justify the demands that you will make on them. VRM should be about building a real partnership with your vendors and not beating them up.
4. It is both a marathon and a sprint
You need a range of both short- and long-term tools to get a complete picture of how safe a supplier is. Security Maturity Assessments interrogate the internal workings of a supplier and show whether the operational effects of the certifications and policies they claim to have in place actually exist. But this approach only captures a snapshot of a supplier at a point in time and risk is not a static commodity. Open-Source Intelligence monitoring of suppliers can provide a classification of the security maturity of a supplier over a longer period. But it cannot overcome the opacity and complexity of what is going on inside the supplier and so only tells half of the story. You need a balance of both.
5. Weighing the Pig won’t make it fatter
It is vital to keep the purpose of assessment within the boundaries of the overall programme. It is not an end in itself. Remember the three golden rules of measurement:
- No measurement without recording
- No recording without analysis
- No analysis without action
The answer is to focus on understanding, action, collaboration and risk remediation. To achieve this, you need to get beyond assessment as quickly and efficiently as possible. Risk remediation is a team sport. Security, business stakeholders and the suppliers themselves need to work together. The clarity and engagement provided by your chosen tool or system will make a big difference here. A dry quarterly review of 1000 line risk spreadsheets do not encourage collaboration. A clear dashboard and evidence of progress encourage risk management activities to be embedded in day-to-day work. Collaboration must include the Vendor. A tool that enables information to be shared with the Vendor is helpful. Track progress and celebrate the benefits when vulnerabilities are resolved, and risks reduced. Show progress by recording evidence through the whole supply chain.
…And then look around at the wider benefits you have achieved for the business!