More than at any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.
It is increasingly likely that one of your vendors, or their n-party support vendors, will fall out of regulatory compliance. Therefore, organizations must protect themselves by creating better mechanisms to hold their n-party vendors accountable and validate that they comply.
Our Advice
Critical Insight
- Identifying and managing a vendor’s potential regulatory impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations.
- Organizational leadership is often taken unaware by changes, and their plans lack the flexibility to adjust to significant regulatory upheavals.
Impact and Result
Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.
- Prioritize and classify your vendors with quantifiable, standardized rankings.
- Prioritize focus on your high-risk vendors.
- Standardize your processes for identifying and monitoring vendor risks with our Regulatory Risk Impact Tool to manage potential impacts.
Identify and Manage Regulatory and Compliance Risk Impacts on Your Organization Research & Tools
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
1. Identify and Manage Regulatory and Compliance Risk Impacts to Your Organization Storyboard – Use the research to better understand the negative impacts of vendor actions to your brand reputation.
Use this research to identify and quantify the potential regulatory impacts caused by vendors. Use Info-Tech's approach to look at the regulatory impact from various perspectives to better prepare for issues that may arise.
- Identify and Manage Regulatory and Compliance Risk Impacts on Your Organization Storyboard
2. Regulatory Risk Impact Tool – Use this tool to help identify and quantify the operational impacts of negative vendor actions.
By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.
- Regulatory Risk Impact Tool
Further reading
Identify and Manage Risk Impacts on Your Organization
It is easier for prospective clients to find out what you did wrong than that you fixed the issue.
Analyst perspective
Organizations must understand the regulatory damage vendors may cause from lack of compliance.
 |
The sheer number of regulations on the international market is immense, ever-changing, and make it almost impossible for any organization to consistently keep up with compliance. As regulatory enforcement increases, organizations must hold their vendors accountable for compliance through ongoing monitoring and validation of regulatory compliance to the relevant standards in their industries, or face increasing penalties for non-compliance. Frank Sewell, Research Director, Vendor Management Info-Tech Research Group |
Executive Summary
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
More than at any previous time, our world is changing rapidly. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level. It is increasingly likely that one of your vendors, or their n-party support vendors, will fall out of regulatory compliance. Organizations must protect themselves by creating better mechanisms to hold their n-party vendors accountable and validate that they comply. |
Identifying and managing a vendor’s potential regulatory impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations. Organizational leadership is often taken unaware by changes, and their plans lack the flexibility to adjust to significant regulatory upheavals. |
Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them. Prioritize and classify your vendors with quantifiable, standardized rankings. Prioritize focus on your high-risk vendors. Standardize your processes for identifying and monitoring vendor risks with our Regulatory Risk Impact Tool to manage potential impacts. |
Info-Tech Insight
Organizations must evolve their risk assessments to be more adaptive to respond to regulatory changes in the global market. Ongoing monitoring of the vendors who must comply with industry and governmental regulations is crucial to avoiding penalties and maintaining your regulatory compliance.
Info-Tech’s multi-blueprint series on vendor risk assessment
There are many individual components of vendor risk beyond cybersecurity.
This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.
Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.
Regulatory and Compliance risk impacts
Potential losses to the organization due regulatory and compliance incidents.
- In this blueprint we’ll:
- Explore regulatory and compliance risks and their impacts.
- Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to identify, manage, and monitor vendor performance.
The world is constantly changing
The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them and avoid penalties.
When the unexpected happens, being able to adapt quickly to new priorities and regulations ensures continued long-term business success.
Below are some things no one expected to happen in the last few years:
45% Have no visibility into their upstream supply chain, or they can only see as far as their first-tier suppliers. 2022 McKinsey |
61% Of compliance officers expect to increase investment in their compliance function over the next two years. 2022 Accenture |
$770k+ Breaches involving third-party vendors cost more on average. 2022 HIT Consultant.net |
Regulatory Compliance
Consider implementing vendor management initiatives and practices in your organization to help gain compliance with your expanding vendor landscape.
Your organizational risks may be monitored but are your n-party vendors?
Review your expectations with your vendors and hold them accountable.
Regulatory entities are looking beyond your organization’s internal compliance these days. More and more they are diving into your third-party and downstream relationships, particularly as awareness of downstream breaches increases globally.
- Are you assessing your vendors regularly?
- Are you validating those assessments?
- Do your vendors have a map of their downstream support vendors?
- Do they have the mechanisms to hold those downstream vendors accountable to your standards?
Regulatory Guidance and Industry Standards
- International Organization for Standardization (ISO)
- FOREIGN CORRUPT PRACTICES ACT (FCPA)
- Sarbanes–Oxley Act (SOX)
- National Institute of Standards & Technology (NIST)
- Control Objectives for Information and Related Technologies (COBIT)
- EU General Data Protection Regulation 2016/679 (“GDPR”);
- UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (UKGDPR)
- Swiss Federal Act on Data Protection (Swiss FDPA) – coming September 1, 2023
- IR35 (UK Off-Payroll compliance)
- Technology Code of Practice (UK)
- Modern Slavery Act 2015 (UK)
- Defense Federal Acquisition Regulation Supplement (DFARS)
- Cybersecurity Maturity Model Certification (CMMC)
- Payment Card Industry Data Security Standard (PCI DSS)
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
Are you confident your vendors meet your standards?
Identify and manage regulatory and compliance risks
Environmental, Social, Governance (ESG)
Regulatory agencies are putting more enforcement on ESG practices across the globe. As a result, organizations will need to monitor the changing regulations and validate that their vendors and n-party support vendors are adhering to these regulations, or face penalties for non-compliance.
Data Protection
Data Protection remains an issue in the world. Organizations should ensure that the data their vendors obtain remains protected throughout the vendor’s lifecycle, including post-termination. Otherwise, they could be monitoring for a data breach in perpetuity.
Mergers and Acquisitions
More prominent vendors continuously buy smaller companies to control the market in the IT industry. Therefore, organizations should put protections in their contracts to ensure that an IT vendor’s acquisition does not put them in a relationship with someone that could cause them an issue.
What to look for
Identify regulatory and compliance risk impacts.
- Is there a record of complaints against the vendor from their employees or customers?
- Has the vendor been cited for regulatory compliance issues in the past?
- Does the vendor have a comprehensive list of their n-party vendor partners?
- Are they willing to accept appropriate contractual protections regarding them?
- Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
- Does the vendor operate in regions known for regulatory violations?
- Is the vendor willing to make concessions on contractual protections, or are they only offering “one-sided” agreements with “as-is” warranties?
Prepare your vendor risk management for success
Due diligence will enable successful outcomes.
- Obtain top-level buy-in; it is critical to success.
- Build enterprise risk management (ERM) through incremental improvement.
- Focus initial efforts on the “big wins” to prove the process works.
- Use existing resources.
- Build on any risk management activities that already exist in the organization.
- Socialize ERM throughout the organization to gain additional buy‑in.
- Normalize the process long term, with ongoing updates and continuing education for the organization.
(Adapted from COSO)
How to assess third-party risk
- Review Organizational Regulations
- Identify & Understand Potential Regulatory-Compliance Risks
- Create a Risk Profile Packet for Leadership
- Validate the Risks
- Plan to Manage the Risks
- Communicate the Plan
- Enact the Plan
Understand the organization’s regulatory risks to prepare for the “What If” game exercise.
Play the “What If” game with the right people at the table.
Pull all the information together in a presentation document.
Work with leadership to ensure that the proposed risks are in line with their thoughts.
Lower the overall risk potential by putting mitigations in place.
It is important not only to have a plan but also to socialize it in the organization for awareness.
Once the plan is finalized and socialized, put it in place with continued monitoring for success.
Adapted from Harvard Law School Forum on Corporate Governance
Insight summary
Regulatory risk impacts often come from unexpected places and have significant consequences. Knowing who your vendors are using for their support and supply chain could be crucial in eliminating the risk of non-compliance for your organization. Having a plan to identify and validate the regulatory compliance of your vendors is a must for any organization, to avoid penalties.
Insight 1 |
Organizations fail to plan for vendor acquisitions appropriately. Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans around replacing critical vendors purchased in such a manner? |
Insight 2 |
Organizations often fail to understand how n-party vendors could place them in non-compliance. Even if you know your complete third-party vendor landscape, you may not be aware of the downstream vendors in play. Ensure that you get visibility into this space as well and hold your direct vendors accountable for the actions of their vendors. |
Insight 3 |
Organizations need to know where their data lives and ensure it is protected. Make sure you know which vendors are accessing/storing your data, where they are keeping it, and that you can get it back and have the vendors destroy it when the relationship is over. Without adequate protection throughout the lifecycle of the vendor, you could be monitoring for breaches in perpetuity. |
Identifying regulatory and compliance risks
Who should be included in the discussion.
- While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
- Getting input from regulatory risk experts within your organization will enhance your long-term potential for successful compliance.
- Involving those who not only directly manage vendors but also understand your regulatory requirements will aid in determining the path forward for relationships with your current vendors, and identifying new emerging potential partners.
See the blueprint Build an IT Risk Management Program
Review your risk management plans for new risks on a regular basis.
Keep in mind Risk = Likelihood x Impact (R=L*I).
Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent
Managing vendor regulatory and compliance risk impacts
How could your vendors fall out of compliance?
- Review vendors’ downstream connections to understand thoroughly with whom you are in business.
- Monitor their regulatory stance as it could reflect on your organization.
- Institute proper vendor lifecycle management.
- Make sure to follow corporate due diligence and risk assessment policies and procedures.
- Failure to consistently do so is a recipe for disaster.
- Develop IT risk governance and change control.
- Introduce continual risk assessment to monitor the relevant vendor markets.
- Regularly review your regulatory requirements for new and changing risks.
- Be adaptable and allow for innovations that arise from the current needs.
- Capture lessons learned from prior incidents to improve over time, and adjust your plans accordingly.
Organizations must review their regulatory risk appetite and tolerance levels, considering their complete landscape.
Changing regulations, acquisitions, and events that affect global supply chains are current realities, not unlikely scenarios.
Ongoing Improvement
Incorporating lessons learned.
- Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
- When it happens, follow your incident response plans and act accordingly.
- An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
- Use the lessons learned document to devise, incorporate, and enact a better risk management process.
Sometimes disasters occur despite our best plans to manage them.
When this happens, it is important to document the lessons learned and update our plans.
The “what if” game
1-3 hours
Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.
- Break into smaller groups (or if too small, continue as a single group).
- Use the Regulatory Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
- Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
High risk example from tool
How to mitigate:
Contractually insist that the vendor have a third-party security audit performed annually, with the stipulation that they will not denigrate below your acceptable standards.
Note: Even though a few items are “scored” they have not been added to the overall weight, signaling that the company has noted but does not necessarily hold them against the vendor.
Low risk example from tool
Summary
Seek to understand all regulatory requirements to obtain compliance.
- Organizations need to understand and map out their entire vendor landscape.
- Understand where all your data lives and how you can control it throughout the vendor lifecycle.
- Those organizations that consistently follow their established risk assessment and due diligence processes are better positioned to avoid penalties.
- Bring the right people to the table to outline potential risks in the market and your organization.
- Incorporate “lessons learned” from prior incidents into your risk management process to build better plans for future issues.
Keeping up with the ever-changing regulations can make compliance a difficult task.
Organizations should increase the resources dedicated to monitoring these regulations as agencies continue to hold them more accountable.
Related Info-Tech Research
Identify and Manage Financial Risk Impacts on Your Organization
- Vendor management practices educate organizations on potential financial impacts that vendors may incur and suggest systems to help manage them.
- Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.
Identify and Manage Reputational Risk Impacts on Your Organization
- Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
- Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.
Identify and Manage Strategic Risk Impacts on Your Organization
- Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
- Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.
Info-Tech Insight
It is easier for prospective clients to find out what you did wrong than that you fixed the issue.
Bibliography
Alicke, Knut, et al. "Taking the pulse of shifting supply chains", McKinsey & Company, August 26th 2022. Accessed October 31st
Regan, Samantha, et al. "Can compliance keep up with warp-speed Change?", accenture, May 18th 2022. Accessed Oct 31st 2022.
Feria, Nathalie, and Rosenberg, Daniel. "Mitigating Healthcare Cyber Risk Through Vendor Management", HIT Consultant, October 17th 2022. Accessed Oct 31st 2022.
Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.
Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.