Identify and Manage Operational Risk Impacts on Your Organization

Identify and Manage Operational Risk Impacts on Your Organization

Understand internal and external vendor risks to avoid potential disaster.

Analyst perspective

Organizations need to be aware of the operational damage vendors may cause to plan around those impacts effectively.

Organizations must be mindful that operational risks come from internal and external vendor sources. Missing either component in the overall risk assessment can significantly impact day-to-day business processes that cost revenue, delay projects, and lead to customer dissatisfaction.

Frank Sewell,

Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Organizations must evolve their risk assessments to be more adaptive to respond to threats in the market. Ongoing monitoring of the vendors tied to company operations, and understanding where those vendors impact your operations, is imperative to avoiding disasters.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Operational risk impacts

Potential losses to the organization due to incidents that affect operations.

• In this blueprint we’ll explore operational risks, particularly from third-party vendors, and their impacts.
• Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to identify, manage, and monitor vendor performance.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

Assess internal and external operational risk impacts

Due diligence and consistent monitoring are the keys to safeguarding your organization.

Internal

• Poorly vetted supplemental staff
• Bad system configurations
• Lack of relevant skills
• Poor vendor performance
• Failure to follow established processes
• Weak contractual accountability
• Unsupportable or end-of-life system components

External

• Cyberattacks
• Supply Chain Issues
• Geopolitical Disruptions
• Vendor Acquisitions
• N-Party Non-Compliance
• Vendor Fraud

Operational risk is the risk of losses caused by flawed or failed processes, policies, systems, or events that disrupt business operations.

Internal operational risk

Vendors operating within your secure perimeter can open your organization to substantial risk.

Frequently monitor your internal process around vendor management to ensure safe operations.

• Poorly vetted supplemental staff
• Bad system configurations
• Lack of relevant skills
• Poor vendor performance
• Failure to follow established processes
• Weak contractual accountability
• Unsupportable or end-of-life system components

Info-Tech Insight

You may have solid policies, but if your employees and vendors are not following them, they will not protect the organization.

External operational risks

• Cyberattacks
• Supplier issues and geopolitical instability
• Vendor acquisitions
• N-party vendor non-compliance

Identify and manage operational risks

Poorly configured systems

Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors are crucial to ensure they are meeting expectations in this regard.

Failure to follow processes

Most companies have policies and procedures around IT change and configuration control, security standards, risk management, vendor performance standards, etc. While having these processes is a good start, failure to perform continuous monitoring and management of these leads to increased risks of incidents.

Supply chain disruptions

Awareness of the supply chain's complications, and each organization's dependencies, are increasing for everyone. However, most organizations still do not understand the chain of n-party vendors that support their specific vendors or how interruptions in their supply chains could affect them. The 2022 Toyota shutdown due to Kojima is a perfect example of how one essential parts vendor could shut down your operations.

What to look for

Identify operational risk impacts

• Does the vendor have a business continuity plan they will share for your review?
• Is the vendor operating on old hardware that may be out of warranty or at end of life?
• Is the vendor operating on older software or shareware that may lack the necessary patches?
• Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
• Does the vendor have sufficient personnel in acceptable regions to support your operations?
• Is the vendor willing to make concessions on contractual protections, or are they only offering “one-sided” agreements with “as-is” warranties?

Operational risks

Not knowing where your risks come from creates additional risks to operations.

• Supply chain disruptions and global shortages.
  • Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Do you know where your critical vendors are getting their supplies? Are you aware of their business continuity plans to accommodate for those interruptions?
• Poor vendor performance.
  • Organizations need to understand where vendors are acting in their operations and manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after a bad performance.
• Vendor acquisitions.
  • A lot of acquisition is going on in the market today. Large companies are buying competitors, imposing new terms on customers, or removing competing products from the market. Understand your options if a vendor is acquired by a company with which you do not wish to be in a relationship.

It is important to identify where potential risks to your operations may come from to manage and potentially eliminate them from impacting your organization.

Info-Tech Insight

Most organizations realize that their vendors could operationally affect them if an incident occurs. Still, they fail to follow the chain of events that might arise from those incidents to understand the impact fully.

Prepare your vendor risk management for success

Due diligence will enable successful outcomes.

1. Obtain top-level buy-in; it is critical to success.
2. Build enterprise risk management (ERM) through incremental improvement.
3. Focus initial efforts on the “big wins” to prove the process works.
4. Use existing resources.
5. Build on any risk management activities that already exist in the organization.
6. Socialize ERM throughout the organization to gain additional buy‑in.
7. Normalize the process long term with ongoing updates and continuing education for the organization.

How to assess third-party operational risk

1. Review Organizational Operations

   Understand the organization’s operational risks to prepare for the “what if” game exercise.

2. Identify and Understand Potential Operational Risks

   Play the “what if” game with the right people at the table.

3. Create a Risk Profile Packet for Leadership

   Pull all the information together in a presentation document.

4. Validate the Risks

   Work with leadership to ensure that the proposed risks are in line with their thoughts.

5. Plan to Manage the Risks

   Lower the overall risk potential by putting mitigations in place.

6. Communicate the Plan

   It is important not only to have a plan but also to socialize it in the organization for awareness.

7. Enact the Plan

   Once the plan is finalized and socialized, put it in place with continued monitoring for success.

Insight summary

Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those who manage the vendors.

Insight 1

Organizations fail to plan for vendor acquisitions appropriately.

Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans around replacing critical vendors purchased in such a manner?

Insight 2

Organizations often fail to understand how they factor into a vendor’s business continuity plan.

If one of your critical vendors goes down, do you know how they intend to re-establish business? Do you know how you factor into their priorities?

Insight 3

Organizations need to have a comprehensive understanding of how their vendor-managed systems integrate with Operations.

Do you understand where in the business processes vendor-supported systems lie? Do you have contingencies around disruptions that account for those pieces missing from the process?

Identifying operational vendor risk

Who should be included in the discussion

• While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
• Getting input from operational experts at your organization will enhance your organization's long-term potential for success.
• Involving those who not only directly manage vendors but also understand your business processes will aid in determining the forward path for relationships with your current vendors and identifying new emerging potential partners.

See the blueprint Build an IT Risk Management Program

Review your operational plans for new risks on a regular basis.

Keep in mind Risk = Likelihood x Impact (R=L*I).

Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent

Managing vendor operational risk impacts

What can we realistically do about the risks?

• Review vendors’ business continuity plans and disaster recovery testing.
  • Understand your priority in their plans.
• Institute proper contract lifecycle management.
  • Make sure to follow corporate due diligence and risk assessment policies and procedures.
  • Failure to do so consistently can be a recipe for disaster.
• Develop IT governance and change control.
• Introduce continual risk assessment to monitor the relevant vendor markets.
  • Regularly review your operational plans for new risks and evolving likelihoods.
  • Risk = Likelihood x Impact (R=L*I).
    • Impact (I) tends to remain the same and be well understood, while Likelihood (L) may often be considered 100%.
• Be adaptable and allow for innovations that arise from the current needs.
  • Capture lessons learned from prior incidents to improve over time and adjust your plans accordingly.

Organizations need to review their organizational risk plans, considering the placement of vendors in their operations.

Pandemics, extreme weather, and wars that affect global supply chains are current realities, not unlikely scenarios.

Ongoing improvement

Incorporating lessons learned

• Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
• When it happens, follow your incident response plans and act accordingly.
• An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
• Use the lessons learned document to devise, incorporate, and enact a better risk management process.

Sometimes disasters occur despite our best plans to manage them.

When this happens, it is important to document the lessons learned and improve our plans going forward.

The "what if" game

1-3 hours

Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

• Break into smaller groups (or if too small, continue as a single group).
• Use the Operational Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
• Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

Download the Operational Risk Impact Tool

High risk example from tool

Being overly reliant on a single talented individual can impose risk to your operations. Make sure you include resiliency in your skill sets for critical business practices.

Low risk example from tool

Summary

Seek to understand all aspects of your operations.

• Organizations need to understand and map out where vendors are critical to their operations.
• Those organizations that consistently follow their established risk assessment and due diligence processes will be better positioned to avoid disasters.
• Bring the right people to the table to outline potential risks in the market and your organization.
• Understand how your vendors prioritize your organization in their business continuity processes.
• Incorporate “lessons learned” from prior incidents into your risk management process to build better plans for future issues.

Organizations must evolve their operational risk assessments considering their vendor portfolio.

Ongoing monitoring of the market and the vendors tied to company operations is imperative to avoiding disaster.

Related Info-Tech Research

Identify and Manage Financial Risk Impacts on Your Organization

• Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
• Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Manage Reputational Risk Impacts on Your Organization

• Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
• Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

Identify and Manage Strategic Risk Impacts on Your Organization

• Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
• Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

Bibliography

“Weak Cybersecurity is taking a toll on Small Businesses.” Tripwire. August 7, 2022.

SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)

Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties.“ Shared Assessments. March 2021.

“Operational Risk.” Wikipedia.

Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, August 23, 2012.

Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.