When vendor and supplier risk becomes your own

Companies are being held accountable for the actions of their suppliers. Under the broad notion that activities can be outsourced, but responsibility can’t, the CFPB and other regulators are holding companies responsible not only for their own actions but also for those of their vendors and suppliers. The new regulatory thrust poses a big challenge for companies because some of them have a limited perspective on their suppliers’ interactions with customers. The largest companies can have close to 50,000 suppliers. A significant number of vendor relationships are not closely managed, and some carry hidden risks.

The scope of regulatory oversight broadening to include the consumer, many firms are underprepared. But since companies must bear the responsibility for their suppliers’ misdeeds, they must improve the way they manage these relationships. A new approach can help to identify and manage sources of third-party risk. Are you doing it?

Are you doing a comprehensive catalog of third-party risks?
Are you doing a risk-based segmentation of suppliers?
Are you doing a rules-based due-diligence test during vendor onboarding?
Are you doing a disciplined governance and escalation process during breach?

Risks from vendors and suppliers pose a significant challenge to companies. A systematic approach to managing those risks can lower costs and help C level executives present a coherent approach to all key stakeholders, including regulators.

For any further questions please email us and we can go over your vendor risk metrics. info@intiGrow.comwww.intiGrow.com

Share this

Vendor Management: are your vendors secure

Vendor risk assessment is required to ensure that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance.

To accomplish this we need to know company details beyond the website. We need to understand the company’s financial position, if the vendor will do what they promise in terms of reputation. We also need to know how well the vendor is going to protect your data? Vendors that provide IT Services have additional risk assessment requirements. We need to make sure contract language includes the right to audit, data security measures, and data ownership. We need specific security considerations, incident response procedures, and for cloud-based IT service there are additional data security questions that need answers.

Ultimately, we as the people responsible for assessing vendor risk, must understand the vendor risk posture. Find that out by knowing some basic risk practices that can be implemented to better control vendor risks in your organization:

  • Assess the risk landscape. Use tiered risk assessments that establish the likelihood and impact of a risk event from suppliers.
  • Deploy comprehensive supplier reviews. Periodically review risk control practices of existing suppliers and a verification process to qualify new suppliers.
  • Deploy risk metrics. Create Key Risk Indicators that you can use to alert your company to problems in the supply chain.
  • Report on risks internally. Set up a process to monitor risks in your supply chain, collect the information about the risks and report on them.
  • Improve continuously. Assess your risk monitoring and governance frequently and close gaps in those systems.

Company boards are expecting more proactive efforts in developing a holistic view of supply-chain risks. The presence of effective (enterprise risk management) ERM programs can help assure those directors that disruptions are being kept to the barest minimum.

For any further questions please email us and we can go over your vendor risk metrics. info@intiGrow.comwww.intiGrow.com

Share this

Integrating Third Party Risk Management in Procurement Process and ERM

Risk exposure is indiscriminate. And risks arising from third party relationships like vendors/suppliers are a significant corporate and regulatory concern. The regulatory authorities have provided guidance on the responsibility of enterprises to understand, manage and monitor their third party vendor relationships. Self-certification vendor management programs are generally no longer sufficient to meet regulatory expectations. Rather, a robust and active vendor monitoring program is the requirement.

New suppliers and technology advancements bring opportunities to take risks that can be positive for a business. However, economic or environmental events can bring an industry to a halt. Even established suppliers may be hurting due to the latest Cyber Attack, hurricane or recession.

Do you Assess you suppliers? Do you??
Do you? Know what the potential risks inherent in vendor relationships and how to mitigate them.
Do you? Know what the risk is to the customers if there is a privacy breach.
Do you? Know how would a loss of outsourced services or a breach of systems impact our ability to operate.
Do you? Ask for evidence or documentation proving the company’s standards in areas of concern to your business.

Knowing is Important! Very Important!!
Knowing that your vendor relationships are complying with the agreements in place is important.
Knowing how dependent are your third parties on subcontractors and sub-servicers.
Knowing that the reports you rely on from third-party vendors are accurate.

Embedding Governance and Security in Procurement Process and Vendor Contracts is Vital! Act on it… intiGrow helps clients answer these questions, comply with regulatory guidance, implement industry best practices to monitor and report risks.

For any further questions please email us and we can go over your vendor risk metrics. info@intiGrow.comwww.intiGrow.com

Share this

© 2021 intiGrow. All rights reserved.

Click Me