Hidden Risks

“Morgan Stanley lost over $150M1 when its vendor partner failed to adequately encrypt sensitive customer data.” This financial blow is a mere symptom of a systemic breakdown caused by inadequate risk policies and processes. A seemingly routine data center decommissioning project turned into a nightmare due to a failure in vendor due diligence. Beyond the immediate financial impact, the incident resulted in sale of 15 Million customer records(1) in an open auction. This incident severely damaged Morgan Stanley’s reputation, highlighting a  harsh lesson on the significance of thorough vendor due diligence.

The repercussions of ineffective vendor risk management extend far beyond finances. A single vulnerability in the vendor ecosystem can open a backdoor for devastating cyberattacks, data breaches, and operational disruptions. A recent cyberattack on Change Healthcare exposed such a chilling domino effect – hospitals and clinics reliant on this vendor lost $100+ million daily(2), and patients nationwide struggled to refill prescriptions, delaying medications for many.

Such recurring disruptions have forced businesses to re-evaluate and modernize their third-party risk management practices.

Understanding Vendor Risk

Recognizing the inevitability of depending on third parties for their needs, 84% of organizations have a formal third-party risk management program today(3).

Exhibit 1.Types of Risks

Exhibit 2. Sources of vendor risks

The importance of vendor risk management

The consequences of unmanaged vendor risk extend far beyond the initial hiccup. Here’s how it can trigger a chain reaction of issues:

  1. Operational Disruption: Security incidents involving business partners cost organizations an average of $3.6 Million(4). Vendor disruptions require manual workarounds, impacting productivity and incurring additional labor costs.
  2. Strategic Stagnation: If the vendor can’t scale to meet a business expanding needs, the business will be forced to find alternative solutions, delaying strategic initiatives and diverting resources.
  3. Brand Erosion: Poor brand service directly affects customer experience. Dissatisfied customers due to vendor issues can lead to churn and reputational damage, impacting future opportunities.
  4. Data Security Breach: One of the most critical consequence is the compromise of sensitive data and systems. Data breaches can result in exorbitant fines, legal repercussions and irreparable reputational damage. The global average cost of a data breach stands at $4.45 Million USD, of which, United States has the highest average total cost of a data breach amounting up to $9.48 Million(5).
  5. Vendor Lock-in Trap: Switching vendors can be a costly and time-demanding process. Data migration, integration efforts and employee retention all contribute to the high cost of switching to an alternative

Navigating the Vortex

A. PRE-VENDOR SELECTION

1. Unspecified risk objectives:

Firms may deal with 2,000+ vendors6 on a daily basis to keep their business running. Lack of a centrally defined vendor risk management strategy/third party risk management strategy can lead to making risky vendor investments.

Unless there is a top-down culture and standard plan for incorporating risk considerations

at various decision-making processes, buyers of vendors will apply unequal standards of risk management, potentially exposing firms to multiple critical failure points. The saying, ‘a chain is only as strong as its weakest link’ becomes critical in case of multiple interconnected vendor systems where each system could be a potential point of failure.

2. Short-changing risk assessment during vendor selection:

Often delayed until later, risk management needs to start at the time of selecting a third party for providing services. Key risk management considerations at vendor selection phases include:

Exhibit 3. Risk Management Framework

2.a  Future State Operating Model:

Organizations must make multiple decisions with respect to its go-forward operating model before engaging a vendor(s). These decisions include:

üNumber of Vendors – Organizations can use multiple redundant vendors with split of work to ensure redundancies in case a vendor fails.

üFuture state vendor interaction model – Critical potential points of failure need to be mapped to be mapped and safeguarded.

2.b  Total Cost of Ownership x Risk Analysis

The total cost of ownership of a vendor relation must be compared against a risk weighted impact assessment of the vendor’s potential  failure. This can also drive negotiations while finalizing a third party.

2.c  Vendor Class

i.Monopolist vs Boutique Vendors:  Working with a monopolist can increase risk due to lack of alternatives while a boutique, although safer, may not be the market leader in terms of capabilities. A choice needs to be made by considering both, capabilities, risk and the accountability the vendor is willing to accept.

ii.Strategic Support vs Operational Vendor: Operational vendors by virtue of their nature of services need more risk focus assessment.

2.d  Contract Terms

Strong and inclusive terms while finalizing vendor contracts can lead to a smooth disaster recovery even in the unforeseen event of a vendor failure. Some key items to be included are as follows:

üService Level credits in case of service level defaults

üMinimum  Insurance Requirements

üPenalties in case of delayed service restoration

üService/Product specific performance  guarantees

2.e  Vendor Disengagement Strategy

Defining terms related to vendor disengagement at the start of a contract can safeguard firms in case of vendor replacement/decommission. These include terms on knowledge transfer, trainings, transfer of processes to new vendor, data migration support, etc.

2.f  Onboarding Strategy

Structured onboarding plan can help ensure all compliances are in place and reduces regulatory risks. Moreover, setting up of a formal vendor governance structure ensures creation of proper communication channels and escalation matrix.

Exhibit 4. Governance Structure and Oversight Committee

B. ONGOING RISK MONITORING

1. Unchecked Vendor Performance

Ongoing third-party risk monitoring is crucial to ensure that firms are always protected against emerging risks due to changing business conditions. Moreover, it also encourages vendors to be vigilant and continuously upgrade their risk management systems and processes. Best practices on ongoing risk monitoring include:

  • Regular Vendor Stress Tests (including DR testing)
  • Periodic Business Review meetings (Including review of risk indicators)
  • Residual risk assessment and tracking
  • Maintenance of real-time data dashboards that actively track risk indicators
  • Maintenance of internal disaster plans and periodic internal stress tests

2. Unvetted Automatic Contract Renewals

Contract renewals provide businesses with a unique opportunity and incentive to re-calibrate their risk tolerance. Businesses should scan the markets to discover the best risk management practices being adopted by the market and ensure that such practices are baked into the renewed contract.

C. VENDOR DISENGAGEMENT

1. Incomplete Vendor Offboarding

A planned and organized vendor offboarding process is critical to ensure that BAU is maintained, especially when historically critical vendors are replaced or decommissioned. Brief checklist for vendor offboarding include:

  • Disengagement plan finalization
  • Complete knowledge transfer and user training if needed
  • Data Migration
  • Removal of System Access
  • Agreement on disengagement costs

Proper dependency maps must be created to ensure backups and alternatives have been put in place before the vendor is offboarded.

In case of technological replacement, new system testing (including integration as well as UAT) must be completed and parallel systems must be maintained until a steady state is achieved before decommissioning the old systems.

Future of Vendor Risk Management

A future where businesses leverage their vendor network for unprecedented resilience is closer than we think. Supercharged by analytics and a shift from reactive to proactive risk mitigation, vendor risk management can prove to be a source of strategic advantage rather than a source of threat. Here are some trends to keep a watch on:

1. AI-powered Impact

Businesses are tapping into the potential of AI to gain real-time, predictive insights and revolutionize vendor risk management. Organizations with AI and automation experience a 108-day shorter data breach lifecycle(7) compared to organizations that didn’t use AI.

2. ESG-driven risk assessments

With a growing awareness about ESG and the potential impact of a vendor’s practices on a company’s reputation and operations, Vendor risk management frameworks adopted by companies are becoming more and more robust and ESG-sensitive.

3. Shift to using external resources

Vendor Risk Management programs increasingly rely on co-sourcing and managed services arrangements to drive cost reduction, solve skill gaps and leverage on-demand services. 44% of organizations expect to use MSPs for vendor risk management more in the next 2-3 years(8).

In Conclusion 

Traditionally, vendor risk management practices are reactive, assessing and mitigating risks only after vendors were already onboarded. However, a more effective paradigm is emerging: Shift-Left Vendor Risk Management. This proactive approach not only helps identify potential risks early on in the vendor risk lifecycle but also helps streamline onboarding and facilitate continuous monitoring.

As business leaders are shifting their risk management approach towards the left, they have increasingly come to realize the importance of trust in the risk management business. They have now started thinking of vendor risk management, enhanced by technology, as the cornerstone of trust in their vendor ecosystem.

As they begin to integrate AI and automation in their risk management lifecycles, they are giving way to transparency, strengthened collaboration and ultimately, building a fortress of trust. This delivers a resilient supply chain, a secure environment for data, and a foundation for long-term success with vendor partners.

Investing in vendor risk management today can secure a future brimming with cost-effective, secure, successful and trust-worthy partnerships.

__________________________________________________________________________________________________________

  1. “Morgan Stanley Hard Drives With Client Data Turn Up On Auction Site”, The New York Times, 2022
  2. CBSE News, 2023
  3. EY Global Third-Party Risk Management Survey, 2023
  4. IBM X-Force Threat Intelligence Index, 2022
  5. IBM Cost of a Data Breach Report, 2023
  6. “How many vendors should your financial institution have?”, NContracts, 2021
  7. IBM Cost of a Data Breach Report, 2023
  8. EY Global Third-Party Risk Management Survey, 2023

Read More