Are Your Risk Management Efforts Enabling Partnership Opportunities?

Forrester's Security and Risk Management clients often describe the frustration they feel when they are not included in important initiatives until after decisions have been made. Lately, this situation has been especially pronounced among decisions to enter partnership agreements based on service, performance, and cost considerations... with risk management only brought in later to identify and mitigate potential points of exposure.

At the same time, Forrester's Sourcing and Vendor Management professionals find themselves facing their own challenges when it comes to managing the risk of partner relationships. In a Q3, 2011 suvey of 575 Sourcing and Vendor Management professionals, top concerns related at "X-as-a-service" relationships included the lack of recourse if a vendor fails or goes out of business, the lack of a clear way to assess risk of a third party, and inability to manage how providers are handling data. ( Source: Forrsights Services Survey, Q3 2011)

In order to bridge this gap, Security and Risk Management professionals need to deliver a streamlined way to insert risk identification, analysis, and evaluation steps within their organization's existing vendor management lifecycle. Forrester customers who have taken this approach - for example, by introducing short, 10-15 question surveys to determine whether more detailed vendor risk assessments are warranted - report better oversight of vendor risk and better involvement in the decision making process. In some cases, Security and Risk Management professionals have even reported casting a decisive thumbs-down vote to block a new vendor contract because it represents unacceptable risk.

I will be publishing a report describing these and other best practices later this quarter, and I will be presenting this information at Forrester's upcoming Security Forum, November 9-10 in Miami. With a theme of protecting the extended enterprise, this event will also include relevant sessions such as Remote Control: Managing Risk By Auditing Your Supply Chain And Cloud Provider, delivered by my colleague Andrew Rose.

As always, we welcome your thoughts and questions on the subject. Have you seen any unique solutions to deal with the challenges described above?

Comments

Vendor Risk Management

These are common complaints that we have also heard from risk, security, and compliance professionals regarding the selection and management of vendor relationships. I think organizations that have successfully tackled vendor risk management have a few things in common:

1. They understand, in general, the risks that vendors can introduce into their business and that some vendor risk can be catastrophic. Not just information security-related risks but strategic risk; financial risk; fraud risk; supply chain interruptions from capacity limitations, disaster, or bankruptcy; customer litigation risk; regulatory risk; reputation risk, etc.

2. They recognize that for any particular vendor selection, depending on the size and scope of the initiative, there may be up to a dozen different stakeholders including: strategic planning, project management, sales, IT, operations, legal, purchasing, quality assurance, IT security, physical security, contingency planning, risk and insurance management, internal audit, executive management, and the board of directors. Each of these stakeholders has an expertise in evaluating and managing risk and is accountable to help ensure a successful vendor relationship.

3. They recognize that successful vendor risk management is an enterprise initiative. As with most enterprise initiatives, you can’t harmonize all of the stakeholder’s interests and enforce compliance without adequate commitment and tone at the top.

4. You can’t evaluate, select, and provide adequate on-going oversight of vendor relationships without standardizing the terminology and processes using agreed upon evaluation templates, workflow, exception decisioning, and on-going monitoring and management.

5. Vendor risk management is embedded in the business. Contract signing serves as a final gate so that no contracts are signed until all material risk issues have been evaluated and decisioned.

6. Stakeholders are accountable to play by the rules and to play within given time constraints. Often, vendor decisions have to be made quickly to take advantage of pricing or market opportunities. If vendor risk management is too burdensome or cannot be done quickly, it will fall apart and no one in the organization will follow it.

The exciting thing is that there are eGRC technology solutions available in the vendor risk management space that enable all of this, and do so in a timely, cost effective manner. Each stakeholder can institutionalize their risk assessment and management approach within the eGRC solution ensuring that everyone plays by the rules. All of the stakeholders receive workflow and reporting targeted to their role, responsibilities, and hierarchy within the organization. It’s a great way of managing vendor, supply chain, and counterparty risks.

Business Security Companies

Thanks to share this great information with us. Risk management is attempting to identify and then manage threats that could severely affect or bring down the organization. Generally, this involves reviewing operations of the organization, identifying potential threats to the organization and the likelihood of their occurrence, and then taking appropriate actions to address the most likely threats.

The Danger of Getting a "Bid"

The Danger of Getting a "Bid" Without a Risk Assessment can be harmful to your investment. I have read out a story from http://blog.gibraltarrisk.com/blog/bid/109325/The-Danger-of-Getting-a-Bi.... This is not a clever work to invest before risk assessment this will also help you with commercial insurance.