Article | TREND NO. 4

Vendor-risk management: Evolving a healthy vendor ecosystem

Jan. 25, 2024 · Authored by Mike Cullen, Jim Kearney

Technology, specialized skills sets and services, and speed of change are a few key factors driving organizations to engage vendors that result in better business outcomes. With today's ecosystem undergoing nearly continual change, vendor risk management is top of mind for leaders. AuditBoard’s Focus on the Future survey shows 65% of internal audit leaders cite supply chain, outsourcing and reliance on third parties as a top five risk.

The cloud transformation has many benefits, but it decentralizes critical data and pushes the defensive perimeter outside the organization, increasing the threat surface for cyber risk.

Richard Marcus, Vice President, Information Security at AuditBoard

As such, what are the processes your organization should enhance for vendors (e.g., third parties, and sub-processors) you rely on?

From a risk perspective, organizations are right to be concerned about their vendor ecosystem. There are many external factors driving the decision-making process for leaders in risk, legal, operations, finance and information security. External factors exist across all industries when assessing your vendor ecosystem.

One area that is top of mind for many organizations is regulatory scrutiny over vendors from or related to the following:

The U.S. Securities and Exchange Commission (SEC), particularly cybersecurity and environmental, social and governance (ESG) disclosures.
The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), and Treasury Interagency Guidance on Third-Party Relationships: Risk Management 2023 final guidance