This is the first of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on steps to achieve a proper and friction-free onboarding process.
Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected mess of relationships and connections that span traditional business boundaries. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees, but are third parties such as contractors, consultants, temporary workers, outsourcers, service providers, and vendors.
An organization can face disruption and disaster by establishing or maintaining the wrong business relationships. Third party security problems are the organizations problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of security arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.
Today’s organization requires complete situational and holistic awareness of third party security and its connection to and impact on operations, processes, transactions, and data. It has become essential that organizations govern third party relationships throughout the lifecycle of the relationship:
Today we will look at the first stage of onboarding a third party relationship, ensuring the organization is doing business with the right third parties as they are brought onboard before network connections are established and data shared.
There are a variety of approaches to onboarding as part of your risk management plan. Some organizations bring third parties onboard with minimal inquiry and affirmation of security, but want to have red flags raised if issues of security arise during the relationship. Other organizations provide more structured due diligence during the onboarding process to ensure that security is addressed before the relationship becomes active. What is critical across this dichotomy is the need for agility. The organization needs to be agile in getting relationships established and not slow the business down.
Obviously, the stronger approach is in the organizations that look to more structured due diligence practices for security to ensure that third parties have security in place before the relationship is established and connected to data and systems. This approach of onboarding needs to be agile or the business will end up working around security and potentially expose the organization.
The onboarding process in a vendor risk management plan involves these fundamental steps:
I am not a fan of the haphazard approach where organizations start a relationship and only look at issues when they arise. I advocate that organizations follow a structured onboarding process that scopes the third party (the identification and qualification phase above) and performs the appropriate level of due diligence to establish the relationship that is inline with the potential risk exposure the relationship brings. The most obscure third party relationship can bring significant damage to the organization if it connects to the organization’s network or shares, processes, or analyzes data of the organization.
To facilitate this onboarding process and remain agile, organizations should partner with solution providers that streamline the assessment and scoring of the security exposure and risk of third parties through active and ongoing scanning and evaluation of third parties.
Governing security in third party relationships does not stop with the onboarding phase. From there it moves into the ongoing monitoring of the relationship that we will explore in the next blog in this series.
About Michael Rasmussen
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 25+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.