The New Normal
As states begin to open, organizations are working to define their “new normal” and building policies and procedures to support their post-pandemic operations. Business as we know it will be different. Organizations that had a successful Work From Home experience may now allow more of their workforce to remain remote, while others are taking steps to create a safer workplace for their returning employees. These changes may affect the risk profile of organizations within your supply chain.
Supply Chain Modifications
For the past three months, business operations teams have been making adjustments to their supply chain—adding and subtracting vendors, partners, and contractors to meet demand or replace suppliers that halted or modified operations due to COVID-19. During the pandemic, fulfilling orders and delivering on contracts were top priorities—which meant following vendor management best practices and managing risk may not have been. Organizations with a documented vendor management program likely had a smoother, more consistent supplier onboarding/offboarding experience. If you are not sure if you are properly managing your risk or meeting your contractual requirements, this article will help you understand some Vendor Risk Management basics.
Supply Chain Risk
For Insights Association members, your critical suppliers are likely subcontractors that handle large volumes of client data and help you deliver market research and analytics services. These suppliers need to access, process, store, and transmit project information in a way that meets or exceeds the security standards that you committed to contractually with your clients. During COVID-19, you may have also launched new back-office products from suppliers like Zoom, Slack, or DropBox that were allowed to access, display, record, or transmit client data. Every new supplier introduces a potential for risk within your supply chain. The best way to manage this risk is with a cohesive program.
Vendor Risk Management Programs
Formal programs for vendor risk management are very common. Most standards-based information security frameworks (ISO 27001, etc.) address third-party risk and provide guidance for establishing a Vendor Risk Management program. If your clients don’t require that you adhere to a specific information security framework, it is still a best practice to reduce your organization’s risk with a documented Vendor Risk Management process. We will use the requirements from Section 15 of ISO 27001 Appendix A as a framework for our discussion.
Types of Risk
Protecting your organization and client data is essential. Like your business, your suppliers face many of the same risks. There are six primary categories of risk. Depending on your supplier’s industry or location, there may be more risks to consider.
- Strategic (causes missed goals)
- Reputational (damages your brand)
- Operational (interrupts business)
- Financial (affects money flow)
- Compliance/Legal (results in penalties)
- Security/Privacy (compromises your data)
Create a Supplier Policy
Using a policy to define the objectives, scope, and statements of third-party relationships for your employees helps them understand their responsibilities as they manage vendors, suppliers, partners, and contractors. The supplier policy describes how your team will assess, measure, monitor, and control the risks associated with third-parties. It will also ensure that all critical third-party relationships meet or exceed your established risk management processes and controls.
A supplier classification process helps you identify which third-party relationships are most important to your organization. The suppliers are classified based on the criticality of the services they provide and the sensitivity of the information they handle (sensitive, confidential, public). At no time should a supplier be assigned a project classified at a level above their approved classification tier. The tiers also indicate the suppliers’ contractual audit requirements and frequency of formal reviews and information security risk assessments.
Define a “New Supplier” Process
Depending on the business need and security requirements, approving a new supplier can take several weeks. Suppliers that will be accessing, processing, storing, communicating, or providing IT infrastructure components will need to conform to the information security requirements in your supplier policy. These suppliers will be required to complete an application, a mutual non-disclosure agreement, a master services agreement, and a security questionnaire. Additionally, suppliers handling sensitive and confidential information will be subject to an on-site risk assessment. Before contracts are signed, the materials will typically go through a final (executive) review process. Adding new suppliers involves organizational risk and expense, so management will usually require justification. One way to reduce the new supplier approval process is to find a supplier that is already on your client’s approved vendor list. While this reduces many of the client-related steps, you will still need to perform your supplier due diligence, qualification, and information security measures to protect your organization from any vendor risk.
Managing a repository of standard contract templates for each supplier classification ensures that the specific information security and audit requirements for that supplier tier are included in any new agreements. The templates should include a description of the information provided or accessed (and method); the classification of the data; legal, regulatory, and security requirements; obligations of each party; rules of acceptable use; authorized team members; regulations for subcontracting; and dispute or defect resolution processes. The templates should also include company boiler-plate, legal, and business-specific items.
Monitor Supplier Services
To maintain the desired service levels, organizations should regularly monitor, review, and audit supplier service delivery for compliance with your agreement. This process should include agreement terms and conditions, service delivery, performance levels, quality assurance, security procedures, security incidents, and the supplier’s ability to remediate security events properly. A specific individual or team within your organization should be responsible for managing the supplier relationship and monitoring any changes to the supplier’s policies, procedures, and controls.
Require Event Notifications
Third-party suppliers should maintain regular communications with your organization and be required to notify your team promptly should any of the following activities occur:
- An identified security breach within their organization
- Any actual or potential reasons for ceasing operations
- Any changes to the status of required information security certifications
- Any changes to directors, key personnel, ownership, or operating locations
- Any formal government or regulation investigations
Establish Onboarding and Offboarding Processes
A comprehensive process for onboarding and offboarding your suppliers will reduce your risk. In addition to the due diligence, assessments, and contracting, the process of onboarding should also include training and awareness of procedures, communication, reporting, and information security requirements. Having a comprehensive offboarding process is just as important. Terminating a relationship properly ensures that property is returned, credentials are canceled, data is destroyed, and final payments are made. All of these steps help lower your exposure and minimize any disputes.
The Vendor Risk Management program that you are creating for your suppliers is similar to the processes your clients are building for you. Your ability to quickly respond to their proposals, complete their due diligence questionnaires, and comply with their information security requirements will improve your chances of winning new business. Creating a Client Contractual Requirement Matrix (CCRM) will help you manage the compliance requirements for all of your client agreements. Assigning a person or team to manage your contract requirements eases the client compliance, reporting, and audit processes while improving contract quality assurance. A dedicated contract and compliance specialist also develops the confidence to know when to question requirements or request adjustments to better align with your standard operating procedures.
You have seen Vendor Risk Management programs in action every time you have bid on new projects with large clients. They are in place to protect the client and reduce the risk of doing business with suppliers. It’s a best practice that you can adopt for your suppliers too. You may have pieces of a supplier program in place today, but without a comprehensive program, you may be introducing risk instead of reducing it.
Ezentria can help you build and manage a comprehensive Vendor Risk Management program that aligns with the information security framework of your choice. If you have any questions, need assistance, or would like to start with a Supplier Policy or Vendor Risk Assessment, you can reach us at firstname.lastname@example.org.
Our next post in this newsletter will be in July. Until then, be safe and secure.