Vendor Risk Management: A Proactive Approach

SIG University student Hanne McBlain enrolled in the Certified Third Party Risk Management Professional (C3PRMP) Program while working at Information Services Group. She shares what she learned from her own experience with a data breach and how she is taking a proactive approach to IT vendor risk management to mitigate future business disruptions.  

In times of cost-cutting, vendor management functions that include third party risk are often the first to go or be significantly reduced. Many senior executives fail to see the value these functions bring and are usually happy to cover third party risk as part of a general risk function.

Stakeholder Support is Critical

I previously worked for an organization that prided itself on not relying on third parties for any critical functions. Redundancy was abundant and built into every platform, and on the surface, there was not much to worry about when it came to third party risk.

During my time there things started to change. We convinced the organization to implement a third party risk management framework. But with no experience in this area, we were fighting an uphill battle. We managed to win support and quickly implemented standard due diligence and on-going monitoring of critical suppliers. The business stakeholders generally regarded the added due diligence and tracking as unnecessary and bureaucratic.

One of the critical IT third parties was HP, which was splitting into three companies (HP Enterprise, HP Software, which was taken over by Microfocus, and DXC services). The organization held multiple meetings with the new entities in an attempt to get clarity on product roadmaps. Microfocus’ acquisition of HP Software caused particular angst in the business as it was utterly reliant on HP legacy software and needed confirmation on continued investment in that software.

During this period, the vendor management team reviewed all impacted contracts (exit clauses, obligations for both our organization and the suppliers), the organization’s level of dependency on the suppliers, and any alternatives in the market while ensuring we kept abreast with the latest news about the various entities in the market.

In the end, based on the information supplied, stakeholders were able to make an informed decision. The argument for third party risk management became more comfortable after that, and the business started to understand the value of managing and monitoring its third parties in order not to be caught unaware.

As is the case in most organizations, some relationships with third parties were in place for a long time and in this case, long before we implemented due diligence for third parties. Some of those relationships were put in place by the business and since the third parties were often unique and niche, they had not come under the same scrutiny as the critical third parties.

>>SIG members have unlimited access to third party risk management frameworks, resources, tools and templates in the SIG Resource Center

Putting Risk Frameworks to the Test

The organization I worked for, like many other well-known and well-regarded organizations in Australia, had engaged a relatively small HR software third party to facilitate receipt of applicants’ resumes on its behalf. Unbeknown to the organization, this third party had insufficient cybersecurity controls in place and a hacker successfully uploaded a file containing malicious code on the HR platform, which resulted in a breach with the compromise of personal data for thousands of job applicants, including banking details in some cases.

A data breach of this magnitude invoked immediate action and within minutes of becoming aware of the data breach we disabled the link to the HR platform. However, this meant that all job applications had to be managed manually, a task the organization was no longer set up to do. This setback resulted in extensive delays for all job applicants, with business units unable to fill vacant positions promptly. However, as an outcome of this breach, it resulted in additional scrutiny of why this lack of adequate cybersecurity controls had not been picked up during the due diligence phase.

The Importance of the Tone from the Top

In the end, the organization acknowledged that there had been little or no due diligence carried out, which resulted in a review of all third parties, not just critical ones. This action ensured that any third party that handles personal data will document it and provides a retrospective due diligence to ensure adequate controls are in place.

Being proactive and implementing a third party risk management framework before an incident happens is obviously by far the best option. After this incident, no one questioned the value of third party risk management. Meanwhile, the name of the organization associated with the breach was posted on the front pages of the Australian newspapers.

Third party risk management is like an insurance policy – you hope you will never have to use it, but if you do, it is better to be prepared.

The Certified Third Party Risk Management Professional (C3PRMP) program is the gold standard in risk training. The video-based, on-demand program is specifically designed for the time-constrained professional. Created by Linda Tuck Chapman – advisor, educator, author and expert – students will learn best and emerging practices in third party risk management throughout the lifecycle of critical relationships and the tools for effective governance.

Download the program catalog to get more information on enrollment and join your colleagues in the virtual classroom!