A Look Back at Vendor Risk Management in 2021 and Trends to Expect in 2022
This year saw organizations facing several emerging risks, particularly as it relates to their third-party vendor relationships.
One of the most prevalent threats reported this year was ransomware attacks. 2021 saw a massive surge in ransomware attacks in the first half of the year alone.
Other prevalent information security risks included distributed denial-of-service (DDoS), social engineering, and infrastructure attacks like the Colonial Pipeline hack.
These devastating cybersecurity attacks resulted from a larger issue that received significant attention this year: a lack of effective vendor risk management (VRM), also referred to as third-party risk management (TPRM).
Changes to Vendor Risk Management in 2021
As a result, several regulating bodies, like FINRA, began releasing new guidance stressing the importance of conducting third-party risk assessments and maintaining updated documentation that verifies their due diligence when onboarding new vendors.
Additionally, organizations were encouraged to shore up their operations with proper third-party risk management tools, particularly in the wake of the COVID-19 pandemic when so many businesses had to rapidly shift to a remote-working ecosystem.
Those organizations who put off proper risk management due to economic cost challenges were cautioned to ignore the guidance at their peril.
Additionally, pressure is also mounting for organizations to implement environmental, social, and governance (ESG) best practices across the enterprise to limit compliance risk.
Regulatory VRM Updates in 2021
As stated above, FINRA was only one of several regulatory bodies to release new guidance around third-party risk in the last few years.
Other notable regulatory updates include:
- GDPR’s Guidance on Standard Contractual Clauses (SCCs) (2021)
- NIST 800-53 (Rev.5)’s Security and Privacy Controls for Information Systems and Organizations (2020)
- Cloud Controls Matrix and Questionnaire CAIQ v4 (2021)
- An ESG category was added to the Standardized Information Gathering (SIG) questionnaire with 35 questions.
- The Standardized Control Assessment (SCA) added a new ESG procedure in line with the SIG questionnaire.
VRM Trends to Expect in 2022
Based on the new guidance released recently and many of the publicized events that occurred around vendor risk this year, we’ve compiled a list of expectations we believe organizations will face in 2022.
Vendor Risk Management programs will be mandated.
Although third-party risk management isn’t a new concept, the number of third-party threats organizations face has increased exponentially this year.
Thus, it is likely that formal vendor risk management programs will be mandated in 2022, with early adopters of robust risk management programs setting the example for others to follow.
Organizations will implement Vendor Risk Management across the org.
Many companies are still running their vendor risk management program in silos, confining their program coverage to one department. Instead, VRM should be cross-functional and used holistically across the organization.
Why? Because when silos are broken down, operational risk silos are as well. When that happens, VRM programs can better monitor numerous risk domains that incorporate ESG, compliance, data privacy, and cybersecurity, to name a few.
Organizations that prioritize vendor risk management will do so with the help of a ‘proven’ VRM solution.
With the ever-increasing regulatory pressures surrounding third-party risk management, it isn’t feasible for many to incorporate the necessary risk management program into existing manual workflows and spreadsheets.
Instead, these organizations will need to implement a software solution that will empower them to streamline workflows, eliminate process bottlenecks, automate manual processes, and ultimately scale their VRM program.
Organizations will leverage VRM solutions to grow the business overall.
While third-party risk management is a challenge for many, it can also be an opportunity for the business to grow when executed in line with strategic growth objectives.
By establishing strong outsourcing relationships that include proper due diligence and documentation of these efforts, businesses can meet their regulatory obligations, advance their risk maturity, and leverage opportunities for growth without adding additional risk.
Furthermore, with much of the vendor onboarding and management processes automated and streamlined, stakeholders can focus on leveraging their partnerships with service providers to achieve both revenue and growth goals.
How Vendor360 Can Help You Implement and Scale VRM
CENTRL’s Vendor360 is a vendor risk management platform that helps organizations implement, monitor, and scale third-party risk management programs.
The platform includes a customizable vendor questionnaire to gain a deeper understanding of third-party vendors and allows users to upload their proprietary vendor questionnaires.
Additionally, your Vendor360 subscription comes with access to the SIG questionnaire, saving organizations on the added expense of having to purchase access separately.
The Vendor360 platform can also help you streamline manual processes in your TPRM program through workflow automation tools that make it easy for your organization to manage third parties from start to finish.