Skip to main content

Hustle and Tussle of Vendor Risk Management

There is no doubt that we humans would have never reached this world of connected Cars, 3d printing and Space travel without trading on each other's resources . We traded what we had for the things we didn't! The world has never been as interdependent as it is right now. This is true for us as an individual and certainly for organizations across geographies.

The word "outsourcing" started getting traction in around 90s, but even before that organizations were heavily using it to reduce cost and allow themselves to focus of their core business area. Family owned businesses initially outsourced a small part of their work within their circle of friend and family considering the trust factor, but as the corporation grew and the economy went global , organizations started delegating part of their work to people living on the other side of the globe. Slowly and steadily organizations have reached to a state where they don't even know who their supplier is! The trust is not obvious anymore.

What we can do about it?

To provide assurance to clients, and to be able to address the legal liability arising out of ever growing number of laws, regulation and standards, organizations need to build a robust vendor risk management program which should be embedded in procurement processes and should be supported by various risk functions (Security risk team, Operational Risk team etc.) within the organization.
A robust Vendor Risk Management Program should be carved out in such a way that every supplier get thoroughly assessed at all stages of procurement and continuously tracked and monitored while on-board using relevant metrics. This will enable organizations to make conscious decisions while on-boarding a vendor considering the various risks (security, operational, etc.) that the third party is bringing to the table. Here are a few things that should be part of such programs:
1) The contract outlining the business relationship should clearly pass on liabilities to the third party with regards to the product and services they provide to the outsourcer. This should include, but not limited to, having audit rights, performance SLAs, indemnification, non compete clauses. 
2) Organizations should have a criteria to categorize vendor, according to the risk level that they pose. This can be further utilized to distribute good amount of effort to high risk vendor while minimizing on lower one's.
 3) Metrics should be defined and continuously analyzed to enable the organization to have visibility of control strength on vendor and if it is performing the due diligence on its part.

Where is the hustle and tustle in this?

The daunting task of keeping track of already empanelled vendors and renegotiating contractual clauses with them is one such thing that requires a lot of energy, Many vendors are quite reluctant to provide the audit right which they feel gives them audit fatigue as they service a lot of customers. Even for the new vendors, passing the stringent clauses to make them accountable for any ignorance on their part is not easy. Even when the vendor is on-boarded, it is still a burden to keep probing vendors to share evidences of their control strengths as this is something which is not felt as a productive use of time and energy. The solution to all this is hidden in the old ways of outsourcing where family business outsourced to their circle of friends, we can treat our supplier a friend and keep having smaller bit size informational chit chat to be informed about their people, processes and technology being utilized to provide goods and services to us. This will definitely reduce their effort in filling a 500 question checklist! Which I think all vendors are tired of filling.....

Comments

Post a Comment

Popular posts from this blog

M.S in Cyber Law and Information Security(MS-CLIS) at IIIT Allahabad

The course provide an exhaustive blend of Technology and Legal requirement that are often sought after by the concerned industry. MS-CLIS students receives grounding in programming, security auditing, logic and cryptography, in addition to policy and legislative procedures. The education is at par with certifications like CISA, CISM and CISSP. “The knowledge that MS-CLIS students have at the end of the course is the same, as expected of a person holding all these certifications, and more,” says Dr. Abhishek Vaish , the faculty coordinator for placement at IIITA . Well, above is an objective view of the institute and the course, but this is my blog, and i possess the right to write my views and experiences with this course. I joined the course in july 2013 and within a fortnight after joining the course, I found out that i was quite naive before, my  understanding of information security was not holistic. It was a big surprise as i could never have had imagined the enormous d...
2 comments
Read more

Did i miss to assetize Virtual Machines !

Auditee : Hi There ! Welcome, What would you like to have? Tea or Coffee? Auditor: Asset Register ! A comprehensive Asset Register is something which is quintessential for any risk management program. Everything that has to do with risk, follows from here. Information Security Risks are no different that any other type of risks. Having a few people (rarely security pro) building asset register will probably mess up any risk management at the very first stage. It has been seen that people generally miss to address technologically advanced assets (The ones they did not understand a few years ago)  to register in their asset inventory. The most obvious are the virtual machines.  Every day ,Virtual Machines (VM) are being created on the fly as per business requirement, many of them persist for years and many not so much. There are many questions  like: if that particular VM is of some value? Do I need to consider it as valuable at this point of time, whe...
Post a Comment
Read more

Pornography and Laws in India

IT is not illegal to watch adult pornography in India but it is illegal to transmit or publish it. Following is a more precise definition according to Section 67 of the  IT Act :- Whoever  publishes or transmits or cause to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having  regard to all circumstances, to read, see or hear the matter contained or embodied in it, shall be punished . Child Pornography: IT is illegal to create, collects, seeks, browses, downloads, advertises, promotes watch, transmits, material in electronic form which depicts children engaged in sexually explicit actor conduct. What i infer from the IT Act that if you are engaged in child pornography or abuse online directly or indirectly you are committing a crime. I have just given some over view through my understanding of the IT Ac...
Post a Comment
Read more