Citisoft Blog

A Practical Guide to Vendor Risk Management

Written by Danielle Castrechini | Nov 15, 2022

As the vendor landscape continues to evolve, there is an increasing trend of partnering with third party providers to support critical functions, and in the age of cloud technologies, those providers can be anywhere in the world. Having a dependency on multiple external parties, coupled with regulatory requirements and access to sensitive information, greatly increases an investment management organization’s vendor-related risk.

Vendor management in general can be a daunting task especially if an organization does not yet have a formal structure to support it. However, even in the absence of a vendor management model, it is critical to have processes in place to understand risk factors, assess potential impacts to the business, and implement controls and other mitigating actions to minimize any fallout.

Performing a comprehensive risk assessment for each third-party relationship is critical to developing a sustainable and repeatable process to effectively manage vendor risk. It is important to note that this is not a one size fits all endeavor as different vendors will pose different levels of risk. The following are key areas of focus to jumpstart or improve a risk management model for the duration of the vendor lifecycle:

  1. Identify the entire vendor landscape. Verify the complete list of vendors, and corresponding services,
  2. Begin vendor risk management with the onboarding process. Complete a comprehensive vendor due diligence to understand any inherent risks and ensure clear and concise language in contract negotiations. Verify that due diligence includes transparency into any fourth party providers as well.
  3. Individually assess and assign a risk profile to each service provided by a vendor, including both inherent risks and if each service is critical to day to day operations.
  4. Determine the level of assessment required for each vendor/service, including ownership for completing the assessment, and the frequency in which risk profiles need to be reassessed.
  5. Identify key measures and controls for ongoing monitoring. Try to keep these consistent across vendors or services wherever possible for easier tracking and reporting.
  6. Implement processes for continuous monitoring vs. relying only upon intermittent, vendor self-reported assessment scorecards, where possible. This may require day to day or weekly oversight or monitoring but enables earlier identification of changes to a vendor risk profile and execution of required mitigation actions.
  7. Maintain an open dialog with vendors to proactively raise issues or concerns and initiate the appropriate course of action.

The successful execution of the above actions does require a collective effort, with clear ownership and role definition, which is often divided into three lines of defense.

First Line: Business units are the first line of defense and often designated as the vendor owners, as they interact with vendors on a daily basis and can readily identify issues or flag areas of concern.

Second Line: Separate from the business units (e.g., compliance, etc.), the vendor manager or third-party risk manager/team is responsible for defining policies and providing instruction to the business units to ensure adherence to established rules and guidelines.

Third Line: Internal audit is responsible for continuous evaluation of the effectiveness of the risk management processes to assess, monitor, and manage vendor risk, including validation that business units are following the defined processes, and confirmation of compliance with all regulatory requirements.

A rigorous risk management program requires a commitment to implementing a sustainable framework with clearly defined roles and responsibilities, and the diligence to continue to support and evolve the process to meet an organization’s changing needs.  In the absence of a strong framework to manage vendor risk, an investment management organization will not only be ill equipped to identify and respond to risk incidents but will also likely be unprepared in the event of a future technology or service level change.