More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.
A new threat will impact your organization's operations at some point. Make sure your plans are flexible enough to manage the inevitable consequences and that you understand where those threats may originate.
Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this research to identify and quantify the potential operational impacts caused by vendors. Utilize Info-Tech's approach to look at the operational impact from various perspectives to better prepare for issues that may arise.
By playing the “what if” game and asking probing questions to draw out – or eliminate - possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.
Organizations must be mindful that operational risks come from internal and external vendor sources. Missing either component in the overall risk assessment can significantly impact day-to-day business processes that cost revenue, delay projects, and lead to customer dissatisfaction.
Research Director, Vendor Management
Info-Tech Research Group
Your ChallengeMore than any other time, our world is changing rapidly. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level. A new threat will impact your organization's operations at some point. Make sure your plans are flexible enough to manage the inevitable consequences and that you understand where those threats may originate. |
Common ObstaclesIdentifying and managing a vendor’s potential operational impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations. Organizational leadership is often taken unaware during crises, and their plans lack the flexibility to adjust to significant market upheavals. |
Info-Tech's ApproachVendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them. Prioritize and classify your vendors with quantifiable, standardized rankings. Prioritize focus on your high-risk vendors. Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Operational Risk Impact Tool. |
Organizations must evolve their risk assessments to be more adaptive to respond to threats in the market. Ongoing monitoring of the vendors tied to company operations, and understanding where those vendors impact your operations, is imperative to avoiding disasters.
This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.
Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.
The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.
When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.
Below are some things no one expected to happen in the last few years:
27%Businesses are changing their internal processes around TPRM in response to the Pandemic. |
70%Of organizations attribute a third-party breach to too much privileged access. |
85%Of breaches involved human factors (phishing, poor passwords, etc.). |
Operational risk is the risk of losses caused by flawed or failed processes, policies, systems, or events that disrupt business operations.
- WikipediaVendors operating within your secure perimeter can open your organization to substantial risk.
Frequently monitor your internal process around vendor management to ensure safe operations.
You may have solid policies, but if your employees and vendors are not following them, they will not protect the organization.
Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors are crucial to ensure they are meeting expectations in this regard.
Most companies have policies and procedures around IT change and configuration control, security standards, risk management, vendor performance standards, etc. While having these processes is a good start, failure to perform continuous monitoring and management of these leads to increased risks of incidents.
Awareness of the supply chain's complications, and each organization's dependencies, are increasing for everyone. However, most organizations still do not understand the chain of n-party vendors that support their specific vendors or how interruptions in their supply chains could affect them. The 2022 Toyota shutdown due to Kojima is a perfect example of how one essential parts vendor could shut down your operations.
It is important to identify where potential risks to your operations may come from to manage and potentially eliminate them from impacting your organization.
Most organizations realize that their vendors could operationally affect them if an incident occurs. Still, they fail to follow the chain of events that might arise from those incidents to understand the impact fully.
Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those who manage the vendors.
Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans around replacing critical vendors purchased in such a manner?
If one of your critical vendors goes down, do you know how they intend to re-establish business? Do you know how you factor into their priorities?
Do you understand where in the business processes vendor-supported systems lie? Do you have contingencies around disruptions that account for those pieces missing from the process?
See the blueprint Build an IT Risk Management Program
Review your operational plans for new risks on a regular basis.
Keep in mind Risk = Likelihood x Impact (R=L*I).
Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent
Organizations need to review their organizational risk plans, considering the placement of vendors in their operations.
Pandemics, extreme weather, and wars that affect global supply chains are current realities, not unlikely scenarios.
Sometimes disasters occur despite our best plans to manage them.
When this happens, it is important to document the lessons learned and improve our plans going forward.
Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.
Download the Operational Risk Impact Tool
Input
|
Output
|
Materials
|
Participants
|
Being overly reliant on a single talented individual can impose risk to your operations. Make sure you include resiliency in your skill sets for critical business practices.
Organizations must evolve their operational risk assessments considering their vendor portfolio.
Ongoing monitoring of the market and the vendors tied to company operations is imperative to avoiding disaster.
“Weak Cybersecurity is taking a toll on Small Businesses.” Tripwire. August 7, 2022.
SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)
Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties.“ Shared Assessments. March 2021.
“Operational Risk.” Wikipedia.
Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, August 23, 2012.
Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.