Enterprise Risk Reporting | The Achilles Heel of Vendor Risk Management Programs

Blog Post by Cliff Baker, CEO at CORL Technologies

Information security leaders and vendor risk management teams have struggled to update their reporting models to keep pace with the increasing variety and complexity of risks introduced by the modern business supply chain. 
The inability to effectively communicate meaningful vendor risk metrics that drive informed decisions from the business has become the Achilles heel for many third-party risk management programs. 
Security and compliance leaders often struggle to answer fundamental enterprise vendor risk questions from the business such as:
  • Which vendors introduce the highest risk to the business? 
  • How much will we reduce risk if we take this or that action? 
  • What are the potential legal, regulatory, financial, and reputational exposures for the business related to our vendor supply chain? 
  • What level of coverage and visibility do we have into vendor risks, and where are our blind spots? 
  • Which business units and departments are introducing the most risk to the business related to their third-party vendor relationships? 
  • What budget should be allocated for third-party risk management and compliance? 
  • How do we know that our prior investments in our vendor risk management program have reduced our risk? 
Inconsistent and overly technical vendor risk metrics have resulted in security leaders resorting to anecdotal and artful storytelling instead of relying on objective risk measures that are meaningful and actionable for the business. 
Third-party security and risk metrics presented to leadership often lack alignment with a strategic vendor risk management vision. Risk metrics require appropriate business context to effectively advise the organization on enterprise risk and empower leadership to make informed decisions on investments and mitigation of identified risks. 
Vendor risk management leaders must also strike the right balance of reporting the right metrics to the right audiences at the right time. For example, presenting technical and operational assessment results to executive audiences can potentially confuse and alienate a strategic-minded audience and undermine the team’s ability to secure support and investment in the vendor risk management program.
Target Outcomes for Enterprise Vendor Risk Reporting
  • Support Executive Messaging – Provide meaningful and actionable information via dashboards, reporting, or other means for risk owners
  • Achieve Stakeholder Buy-In – Demonstrate and validate risk concepts and modeling to facilitate a shared vision. Operationalize risk reporting processes to enable stakeholders to assist with objective decision making
  • Provide Visibility – Deliver accurate information to enable proactive vendor risk assessment and management across the full portfolio of vendors. Support the analysis and consumption of ad hoc or recurring reports
  • Enable Ownership – Facilitate the education of personnel responsible for the implementation of risk reporting functions and vendor contracting decisions
  • Mature Reporting Mechanisms – Support the design, testing, and deployment of new vendor risk reporting models
  • Evolve Risk Reporting Practices – Monitor and evolve metrics, KRIs, KPIs and enhance reporting via automation and process improvements 
Designing Effective Vendor Risk Metrics & Reporting Structures

The following principles and considerations are recommended for the design of strategic vendor risk metrics and reporting models:

  • Start with the outcome in mind; design and build strategic metrics that answer critical questions for the business vs presenting risk data that is readily available or easily produced 
  • Align with industry standard risk reporting and security controls models, including FAIR, ISO, NIST, COBIT, CVSS, and HITRUST 
  • Establish current state and future state maturity targets and KRIs for each area within the vendor risk management program 
  • Establish clear links between executive, strategic, and operational reporting levels 
  • Communicate vendor risk information in terms that the business can understand 
  • Collect and report risk information in a way that is operationally feasible and appropriate for the organization 
  • Provide the processes, tools, templates, and dashboards that present a visual picture of vendor risk 
  • Gather and organize data that provides a clear picture of risk tailored to target stakeholder groups 
  • Provide a structure that allows stakeholders to make risk mitigation decisions based on timely information 
  • Promote stakeholder accountability through reporting, ongoing monitoring, and validation of results 
  • Identify the target strategic outcomes the business is trying to achieve, adjust year over year to align with maturing targets for key risk areas, then drive metrics and KRIs that would be best to move those specific initiatives forward aligned with the roadmap/vision
  • Report on technical, management, and operational controls to maintain alignment with business objectives and regulatory compliance requirements, including HIPAA, HITECH, and other regulations and standards 
  • Report on changes to vendor risk posture based on continuous monitoring of the vendor portfolio over time 
We have overhauled our vendor risk reporting models at CORL over the years to facilitate more effective communication with the business. Our reporting dashboards leverage Business Intelligence (BI) reporting capabilities and automation to capture and report vendor risk metrics in a consistent, repeatable, and scalable manner. 
Our tools and processes are designed to harmonize and report vendor risk data from a variety of internal and external sources, including cyber risk scoring solutions, GRC platforms, and other third-party risk management platforms. 
We look forward to continuing to work alongside our clients to further innovate our reporting models to drive actions and investments that reduce risks introduced by third-party vendor supply chains. We welcome the opportunity to engage with you and your teams further on this important topic.
Most Recent Posts
Keep Up with CORL: Vendor Breach Digest, 1/17/22 Read More
Urgent Vendor Risk Alert: Log4j Java/Apache Logging Vulnerability Read More
Keep Up with CORL: Vendor Breach Digest, 12/9/21 Read More