As the end of the year approaches, reflecting on 2021 as we prepare for 2022 seems fitting. From a vendor management perspective, 2021 has been both a continuation and expansion of the risks and the challenges that radically changed "business-as-usual" worldwide in 2020. Nearly two years later, we’re still amid the challenges of a global pandemic and it’s become increasingly clear that the “new normal” of 2021 had its share of unique lessons to teach us.
Lessons Learned in Vendor Management From 2021
This past year brought many different risks into focus including cybersecurity, financial, business continuity and more. Here are some of the biggest lessons we learned this year:As
- Cybersecurity should remain a top priority. It’s been a record-breaking year for cybercrime. The global cost of cybercrime in 2021 has been estimated at $6 trillion. The increase and diversification of cyberattacks and exploits have been seen in virtually every sector. Healthcare, higher education, energy, government and small business have been hit particularly hard in 2021. Here, the lesson "an ounce of prevention is worth a pound of cure" only works if you and your third parties have effective and current prevention methods and controls to detect and prevent costly cyber incidents. Frequently monitoring your third parties for changes to their cybersecurity posture is key.
- You need to ensure that your vendors have adequate business continuity plans. The long tail effects of the pandemic will be seen in supply chains for years to come. From shortages of basic manufacturing materials and components to transportation and import-export issues, there’s an urgent need to take business continuity and resiliency seriously. Third parties critical to your organization must be scrutinized thoroughly and have the evidence to prove their business continuity plans are sufficient to support your organization even under the most challenging circumstances.
- Monitoring your vendors’ financial health is crucial. The economic pressure on organizations of all sizes has been felt on a global scale. While some organizations are faring better than expected, many have not. While we can hope for the best outcomes, it’s important to keep the financial health of your third-party vendors well in your sights. It isn't enough these days to review audited financials once a year. Risk monitoring and alert services can provide much-needed visibility between annual risk reviews.
- It’s important to stay informed of the regulatory environment. With the change of presidential administrations, the regulators have reemerged with renewed energy and focus. In particular, third-party relationships have been a hot topic; from the proposed interagency guidance on third-party relationships to the renewed push on consumer protection, the heightened focus on operational resilience and the increasing pressure to address climate risk through regulatory means. Now is the time to get educated and watch the regulatory space. Do your homework.
- It’s time to consider the value of outsourced vendor risk management. Understaffed vendor management programs have always been an issue, but the regulators have stated their expectations that senior management will provide enough sufficiently skilled staff to ensure vendor management programs are working as intended. That would seem like good news for those doing our best to juggle well enough to keep vendor management programs running effectively, but as most of us know, that doesn't always mean that there will be money added to the budget or full-time employees (FTE) added to the program. The real good news here is that regulators have expressed support for outsourcing vendor risk management tasks, including due diligence, to supplement any capacity gaps (employees or expertise).
6 Tips for Vendor Management Success in 2022
Now that we’ve covered some of the most important lessons learned, it’s important to know the next steps. Here are some ideas to convert the lessons learned in 2021 into action for new or emerging third-party risks in 2022:
- Partner with your information security team to review and update your existing third-party due diligence questionnaires to ensure they reflect the current cyber risk environment. It’s also important that your vendor management and information security teams develop a strategy to address significant cybersecurity changes or emerging threats that require specific third-party action or response outside of the annual risk review.
- Make sure your annual risk reviews are current, and yes, prioritize critical third parties. If you have any lapsed or late reviews, consider outsourcing due diligence document collection and review to external vendor management service firms. In many cases, this is more cost-effective than adding staff and usually results in a shorter turnaround time than when using internal resources.
- Pay special attention to your third parties' business continuity and resiliency planning. Testing of the plan is essential. The third party should be expected to disclose any issues or gaps identified during testing and provide their remediation plan to close the gap.
- Review your third-party insurance requirements, making sure that cyber insurance is a separate policy from general liability. Work with your legal team to review or update required policy types and coverage amounts. Also confirm that those requirements are included in your organization's third-party contracts.
- Subscribe to risk alert and monitoring services. It’s a simple way to improve continuous third-party risk monitoring and makes it easier to spot declining financial performance.
- Take time to learn about the regulations affecting your industry and the laws that govern third-party relationships. The focus on cybersecurity, privacy and business operations resiliency are common themes with almost all regulators.
Remembering back to late 2019, most of us couldn’t have imagined what the next two years had in store. Here we are closing out 2021, managing many of the same third-party risks we had pre-pandemic, but with new and different insights, learning and tools. As 2022 approaches, it's good to remember that preparation, information and teamwork are the ingredients for any successful vendor risk management program.