In the drive to focus on their core competencies, many organizations are increasingly reliant on many different types of business partners, vendors and service providers to support various functions within the organization. These external partners often have access to much of the same data as regular employees do. Commercially sensitive and proprietary data is often transmitted, stored and processed among a wide range of partner and vendor networks, outside the influence of any one organization’s internal controls and security policies. Without a true understanding of vendor risk profiles, many organizations unknowingly expose themselves to the same compliance liabilities that exist in their own environment.
Approach
VioPoint understands the challenges of tracking and managing many vendor relationships; the additional variable of evaluating risk only complicates the process. To establish the preliminary structure for evaluating vendor risk, VioPoint uses a defined process to categorize vendors based on the type of information they manage. This initial classification establishes priorities for determining when and how vendors will participate in the formal risk assessment process. Once the vendors are categorized into different high level risk groups, VioPoint utilizes Modulo’s Risk Manager NG software to manage the risk lifecycle. Risk Manager NG is a SaaS based governance risk and compliance (GRC) platform that uses established controls to manage risk, compliance within a security program. Our consultants are well versed in vendor risk management and VioPoint has developed an approach using Risk Manager NG to help improve the tracking and auditing of business partners.
Vendor and partner assessments are traditionally performed using Excel-based questionnaires, supplemented with evidence from scanners and other security reports and on-site audits. By leveraging the automated capabilities of Risk Manager NG, VioPoint helps clients achieve on-going efficiencies including the following:
- Automates data collection by using web surveys to collect controls-based details and evidence documentation.
- Provides sustainable framework that allows organizations to identify, manage and report on vendor risk.
- Provides cost effective program oversight by automating many of the processes required to manage vendor risk.
- Facilitates aggregation of vendor information, including profiles, contacts, facilities, contracts and projects, in a centralized data repository.
Results
VioPoint has the process and tools to assess vendor compliance with an organization’s policies and controls, ultimately delivering an effective vendor risk management program. Modulo Risk Manager enables you to manage each of the key activities in an effective vendor management process, including risk-based vendor selection, relationship management, on-going compliance monitoring, and flexible, effective management reporting. The resulting program creates a win-win relationship with vendors by developing a shared understanding of goals, helping both parties cost-effectively achieve and sustain compliance.
