In the world of vendor risk management, there are several categories of vendor risk to consider, such as strategic, compliance, cyber, financial, reputational and more. Today, we will focus on vendor operational risk and highlight some of the issues that can arise if this risk isn’t managed appropriately.
First, we should define operational risk as the risks an organization faces while running its day-to-day business activities. Operational risk typically reflects the failure of processes, procedures, people and systems. Furthermore, operational risk has two dimensions, internal and external.
Internal Vendor Operational Risks
Internal operational risks are those that are theoretically within the control of the organization. Internal operational risk is more or less "man-made" because people make the processes, procedures, actions, thinking and decisions that cause these risks.
7 examples of internal vendor operational risk include:
- Employee skill level
- Use of aging technology
- Infrastructure deficiencies
- Process design failure
- Poor planning
- Compliance violations
- Vendor risk management
External Vendor Operational Risks
External operational risks are those risks that occur outside of the organization's control.
9 examples of external vendor operational risk include:
- Changing regulatory environment
- Currency fluctuations
- Societal or political changes
- Inflation
- Increased competition
- Increased taxes
- Shifting demographics
- Changing consumer tastes
- Natural disasters, pandemics or terrorist threats
Real-Life Scenarios Where Operational Risk May Come into Play
Organizations outsourcing products and services must not mistake vendor risk management as an external risk beyond their reasonable control. Focusing on vendors' operational risk is an essential component to managing your internal operational risk. Consider these examples.
Scenario 1 – failure to review the cybersecurity structure: Suppose your organization should select a cloud service provider without providing the necessary due diligence to establish the cybersecurity structure that’s required to protect your customers' data. In that case, if there is a data breach, you could face regulatory fines, lose revenue and your customers might choose to take their business elsewhere.
Scenario 2 – failure to test the business continuity plan: In another example, let's say you have a vendor that provides services supporting your organization's critical operations, maybe for financial transaction processing. They gave you a business continuity plan during due diligence, but it was never tested. You have no idea how or if they can reinstate their operations after a large natural disaster. Now, a natural disaster (fire, flood or earthquake potentially) that happened thousands of miles away is wreaking havoc on your ability to continue your most critical operations. These risks manifested in part to a plan that was never tested, and the risk associated with that vendor was incorrectly managed.
Scenario 3 – a natural disaster creates operational delays: This is the tale of the troublesome tornado. Your vendor is unable to get operations up and running after a severe tornado. As a result, your transaction payment processing system has been down for a week. Your customers cannot submit online payments which prevents you from issuing customer statements on schedule. And, your accounting system automatically begins charging late fees. Although this is not intentional, there is a barrage of customer complaints and now the regulators are involved. Worse still, a major news outlet has decided to include the story about the angry customers as part of their tornado coverage.
To break it down further, what happened looked a lot like this:
As you can see, your vendor's internal processes, procedures and risk management (or lack thereof) can directly impact your organization's operations and ability to do business. To understand the potential magnitude of vendor operational risk, remember that operational risks almost always extend to other categories.
Common Problems When Addressing Vendor Operational Risk
Typically, some of the most severe operational risks can occur when vendor risk processes do not follow the entire vendor risk management lifecycle or reflect the primary purpose of the lifecycle.
Process failures include:
- Subjective or inefficient risk identification
- Incomplete review and assessment of due diligence documents, third-party audits, financial information, legal and compliance documentation, etc.
- Failure to engage subject matter experts to review and evaluate vendor controls
- Focusing only on the initial due diligence process to determine a vendor's risk profile and efficacy of their control environment
- Using boilerplate contract templates that do not consider the risks unique to the product or service
- Signing a contract before due diligence is completed
- No monitoring of vendor performance, vendor control environment, or both, or a lack of appropriate and timely monitoring and risk reviews
- Poor record-keeping and storage of due diligence documents, communications, SME reviews, etc.
As a side note, one of the most overlooked vendor operational risks often occurs due to decisions made at the topmost levels of an organization. Suppose your senior management fails to recognize that vendor risk clearly and directly impacts the organization's operational abilities. In that case, it may not be prioritized as much as necessary to allocate proper resources or ensure that skilled employees identify, assess and manage those risks. Inevitably, hard lessons are usually learned, but only after a severe vendor-related incident or regulatory finding is noted.
How to Reduce the Impact of Vendor Operational Risk
What can you do to reduce the likelihood or lessen the impacts of vendor operational risk? Here are some steps to take:
- First and foremost, use a vendor risk management framework that follows the vendor risk management lifecycle to systematically identify, assess and manage vendor operational risk.
- Second, ensure that your risk identification methods account for the complexity and the criticality of the product and service provided.
- Third, make sure that your due diligence process is robust enough to root out gaps in the vendor's control environment. It should also ascertain if those gaps (and to what extent) can be remediated before you consider if the residual risk rating is acceptable or if more needs to be done.
- Fourth, treat the contract as an essential risk mitigation tool.
- Fifth, monitor both your vendor's performance as well as their risk profile. For critical or high-risk vendors, a minimum of once a quarter is recommended or as often as needed in response to an event.
- Finally, engage a senior leader to act as an advocate for vendor risk management program, whenever possible. This will help ensure a "tone-from-the-top" message and provide the appropriate attention and resources for your vendor risk management program.
In conclusion, vendor operational risk has a broad reach and can negatively impact an organization in more ways than one. To combat these risks, an organization needs a solid vendor risk management framework to set the stage for identifying, assessing and managing vendor risk. Beyond the framework, there is a real need for the stakeholders, subject matter experts and senior leaders to support and champion the vendor risk management organization and ensure that the vendor risk management program is prioritized, executed and enforced appropriately.
Learn how to further rate vendor risk. Download the infographic.