As has been said many times before – you can outsource business functions and procedures but you can’t outsource the risks.
What about the impact of your vendors handling information or IT resources for you: what impact do they have on your business risks?
In this age of Cloud computing services, outsourced IT services, off-shored IT services and all-manner of outsourced IT: some – not all – CIOs and CISOs are becoming chief procurement and vendor managers, while many others are becoming exposed to it.
I’ve spoken with some members whose entire day – and all of IT – is taken up managing vendors: because that’s whose delivering all IT services, applications and information for these companies. Others I’ve spoken with have indicated that vendor management is becoming a concern, but only for “not-run-the-company” uses of IT.
Aside from telecommunications services, many of these suppliers specialize in soup-to-nuts procedures and applications for a particular industry: for instance on banking, education, healthcare, insurance, law enforcement, pharmaceuticals, or travel and entertainment as examples. What none of these suppliers specialize in is information security, information assurance, governance and risk management. The onus for managing these “governance” issues of your vendors – is yours!
Research now available from the Group reveals that about 2-in-10 organizations are ignoring – or shoving to the side – the impact of information handling and security procedures by their vendors. Another 5-in-10 are paying lip-service to risks by telling their vendors what’s expected of them in standard contract language and then ignoring it completely after contracts are signed. The remaining 3-in-10 are going beyond dusty boiler-plate contained in procurement contracts.
The primary reasons driving those with the most active vendor management practices include:
- Risks to business operations and procedures when something goes hiccup
- Evidence needed for audits and regulatory reporting
- Risks to the brand and reputation of the organization
- Risks involved with using Cloud-based IT services
- Risks or liability from the loss or theft of sensitive data and customer information
- Risks to financial reporting requirements
And the benefits of actively managing your vendors? Among those with the most active vendor management programs, the benefits include significantly:
- Reduced rates of data loss and theft
- Reduced audit findings related to IT that cost money to fix
- Reduced numbers and severity of Internet security threats
- Reductions in costs and liabilities
- Reductions in business downtime from unexpected IT hiccups
Whether you like it or not, more of us are becoming managers of vendors. It may have started recently and small for you, with the outsourcing of Email or Web-services. Or it might have gone big-time for you long-ago when legacy mainframe applications – that are still being used to run the business by the way – were outsourced to specialist firms.
Whether you are already knee-deep in the swamp managing your vendors or are only now becoming wet, we hope to provide you with some practical guidance about what’s working based on the experience of others. Knowing which procedures to focus on, which procedures to automate, which questions to ask, the metrics needed, what red-flag triggers to employ, and how often to assess and report on risk are just a part of being able to successfully manage your vendors. And, being able to communicate up-the-chain to inform your business stakeholders what the business risks, trends and corrective-action-plans are is also a critical part of managing your vendors.
Although many of us are at different stages, one thing is certain: managing the “governance” issues of your vendors handling information and IT resources – related to value, risk, assurance, and information security – is not going away. It’s here today – and here to stay.
Find out which practices are working to better manage risks related to vendors handling information or IT resources at http://www.itpolicycompliance.com/blog/latest-research2/vendor-risk-management-for-it
We hope you enjoy and are able to take advantage of the findings to improve outcomes for your organization.