Companies are increasingly outsourcing all or some of their IT and business services to reduce costs, consolidate, simplify, and focus on their main stuff. As they say, "the main thing should always be to keep the main thing, the main thing". But as companies place their trust in others to serve them and ultimately their customers, they must have some assurance that the vendors providing support services are managing the risks properly and meeting compliance and regulatory expectations. From a governance standpoint, vendors should not be in a position to dictate a company’s policies although vendors can help shape the policies and standards with their exposure to industry best practices.
The title of this article, "vendor risk management", is different, yet similar to, "vendor management risk". This article is about the risks that arise from engaging a vendor to support a business process or outsourcing some functions which must be managed. On the other hand, the term "vendor management risk" is about the risks that companies face in their day to day vendor management efforts. I know this is confusing but I also find the distinction interesting and worth an analysis.
Companies are ultimately liable for the protection of client data and quality of services that they provide to their clients whether they outsource some or all of their functions. Companies must also ensure compliance with regulatory and industry requirements such as privacy as part of their services. In the normal course of business operations, companies are pretty good at managing their risks by identifying, prioritizing and mitigating them. However, businesses might be a little less concerned with risks that they assign to their vendors when they outsource. This outsourcing peace of mind presents vendor management risks that companies must be aware and manage, which if left unaddressed or unmanaged, can present a variety of negative consequences for companies. This is why service level agreements and data protection clauses are important to make sure vendor risks are managed properly.
Consequences of Unaddressed Vendor Management Risks
Consequences of unaddressed vendor risks which can lead to data breach incidents are enormous and unpredictable which include lost clients and revenues, lawsuits, negative publicity, damaged company brand, penalties from noncompliance with government regulations, and jail time for executives. Customers are often unaware that their companies outsource their internal services to third parties but even if they are aware, they would care less as long as they remain confident that their companies take full responsibility for data protection and the quality of services.
Basically, when outsourcing, companies must maintain control over information security governance, document comprehensive contracts that list vendor responsibilities especially with respect to information security and data access or use, and, perform independent audits to ensure compliance with privacy, information security, and contractual requirements.
Companies must take responsibility for regulatory compliance, adherence with contractual agreements, and managing risks. Companies must follow their established policies and procedures through employee training and monitoring but they must also ensure their vendors apply the same level of due care when it comes to managing risks. Company information security officers can develop and execute a customized audit program for each selected vendor as part of their annual security plan to assess risks and provide constructive feedback to their executive management regarding vendor policies, procedures and operations.
Information Security Governance
Information security governance should not be confused with information security management. Governance, which must be an internal company function, determines who is authorized to make decisions, specifies the accountability framework, provides oversight to ensure that risks are adequately mitigated, and, ensures that security strategies are aligned with business objectives and consistent with regulations. Information security management, which can be wholly or partly outsourced, is concerned with making decisions, ensuring that controls are implemented to mitigate risks, and recommends security strategies.
National Institute of Standards and Technology or NIST describes information security governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and, provide assignment of responsibility to manage risks.
Since information must be treated as any other critical asset essential to the survival and success of the organization, information security governance which is a complex and critical function must be elevated to the highest organizational levels. According to Identity Management Institute, governance refers to an organization’s oversight and practices by a committee of the Board of Directors and/or Executive Management to assign a chief information security officer, provide strategic direction, approve the information security program, support the CISO to achieve its objectives, and require an annual report regarding the state of information security and compliance.
Compliance Risks and Beyond
When a company outsources some services to a vendor or multiple vendors, whether it’s for a particular business process, software development, or system management, the company also expects and relies on the vendor to manage the same risks that they would have to manage if they were performing the outsourced activities in-house. For example, vendors are expected to have proper hiring and staff management practices around their employees and contractors, which include full background checks, adequate human resources policies and procedures, and employee training. When internal controls don’t exist or are not functioning properly, then companies can be exposed to some unmanaged risks.
Depending on the nature of the outsourced business process, some services pose greater risks than others. For example, there is usually less risks with an automated service if the system has been properly tested and undergoes limited and less critical changes. On the other hand, if your company is a bank and you outsource loan application processing, you may be exposed to risks in the areas of privacy compliance, system integrity and loan decision accuracy, as well as system security, data backup and protection, disaster recovery and business continuity.
There are a few ways that companies can make sure that vendors are properly managing the risks. For example, some of the least expensive risk assurance options include Request For Information, Standard Information Gathering questionnaires and review of independent audit reports provided by vendors such as SSAE16, FISMA, and ISO audit reports. A more expensive option is to send auditors to examine a specific area in depth. Most companies use a combination of all these options to get comfortable with a vendor's internal controls but many of these actions depend on how the outsourcing deal was negotiated and what the contracts allow or prevent a company to do in the area of risk assurance.
Audit Options for Vendors
In order to manage audit costs and prevent all customers to audit as they wish, service organizations should consider undergoing an independent audit the results of which they can share with customers. Even if customers cover the costs of the audits, there are still many audit support costs that vendors will incur especially if they have thousands of customers, even if they audit once per year or every other year. One of the acceptable and most common audit options in the US is the SSAE 16 audit which is also popular due to the increased regulatory oversight of the Sarbanes-Oxley act and customer requirement that their service organizations obtain and submit an independent audit report. Other benefits of an SSAE 16 audit report for vendors includes instant credibility with their customers and perception that the vendors are responsible, independent confirmation by a third-party of their internal controls, and cost savings as mentioned as the annual audit report can be shared with all clients who ask for it. In addition, a credible independent audit report can satisfy multiple customer audit requests and reduce the number of customer audits.
SSAE 16 Audits
SSAE 16 stands for the Statement on Standards for Attestation Engagements, number 16, which is a recognized third-party assurance audit designed for service organizations. SSAE 16 replaced SAS-70 in 2011. There are two types of SSAE 16 audits. Type one provides the limited assurance at a point of time whereas the SSAE 16 type two provides the highest level of assurance based on a period of time, which includes detailed testing. The scope of the SSAE 16 audits is either decided by the vendor or negotiated as part of the business contracts; however, the usefulness of the audit reports depends on the audits performed around the outsourced services. Some common areas covered in the SSAE 16 audits include employee and contractor management, privacy, access management, information security system developments, lifecycle, data backup and IT operations. The final SSAE 16 audit report is very important to companies because it gives them an independent opinion regarding vendor’s internal controls.
Best Audit Options
Due to their inherent nature, RFIs are less reliable because vendors attest to their own internal controls and there is no independent verification of the assertions. On the other hand, independent audits are more reliable, but they can be expensive. So in order to be cost effective in the vendor assurance process, the high-risk vendors can be identified and audited based on a predetermined audit type or option as well as the frequency of the audits. Companies must determine what constitutes a high risk vendor and decide what type of audit they will need to perform and how often in advance so they can include audit provisions in the contract.
Often the companies are required to pay for the audits that they choose to perform and other times vendors cover the audit costs when complete questionnaires, submit documents for review, and obtain a SSAE16 audit reports. Independent audits by third-parties can be very expensive, however sometimes vendors cover the costs to satisfy either contractual agreements made with their clients, appear being a good business to attract new customers or retain the existing ones, and reduce the overall audit costs..
Final Audit Considerations
To manage their vendor risks, companies must first identify the high-risk vendors, depending on the type of services that they outsource and the data that they share with them. Next, they must decide the type and frequency of assurance methods such as standard information gathering questionnaire, document review, reliance on the SSAE 16 audit report, or, a combination of these methods. However, SSAE6 audit reports are not always available and do not include the critical processes in the audit scope to satisfy customers. One thing to keep in mind is that audit requirements once identified must be coordinated between the legal, vendor management, business, and audit teams for a couple of reasons. First, we want to make sure that there’s an audit clause included in the contract which allows the company to actually audit the vendor as necessary and at the company’s discretion, and second, allow the security team to schedule resources if they have to audit a particular vendor. And lastly, companies should review the results of the audits and follow up with this service organization to make sure that they remediate the potential findings within the agreed upon time frame.