Weighing in at $18.5 million, Target has agreed to pay the largest-ever fine for a third-party data breach. When you consider the scope of the compromise – nearly 70 million customers and/or accounts affected and an estimated total loss of $202 million by Target, the fine almost pales by comparison. How did the thieves access Target’s data? Through an unlikely third-party vendor, specifically an HVAC contractor. More important lessons to learn from Target’s unfortunate risk debacle are in the details, specifically the breakdowns and negligence of their own risk management processes. While you might not see immediate parallels between a retail behemoth like Target and your credit union, the fact is that all third-party vendors put every organization at some degree of risk, making a functional and up to date vendor risk management program an important part of a mature approach to overall enterprise risk management.
You know all too well your organization’s time and resources are stretched. There are few things more frustrating than dealing with a cumbersome, inefficient vendor management process that could potentially expose your name and community reputation to unnecessary risk. Are your vendor-related communications, data and reporting decentralized? Is vendor information tied into business continuity and disaster recovery? Are vendors classified by service and risk, and does vendor classification tie into an overall enterprise view? When you execute vendor management processes as a series of individual tasks to complete rather than a systemic, data-driven process, chances are you are wasting resources, time, and value for an inferior result. Take a look at your current 3rd party risk management program. How quickly are you able to successfully complete assessments or updates? What portions are automated; do you have a central repository or are you dealing with outdated Excel spreadsheets that are lurking on some employee’s desktop? Make sure you are asking the right questions, know when to dig deeper, and look for opportunities to streamline your processes. In order to effectively and responsively function, your vendor risk management program should be systemic, transparent, accessible and automated.
There is good news. We’ve found credit unions, as regional entities with a common member-focused culture, are in a unique position to pool their resources to develop a responsive third-party risk management framework that meets their needs and budget. We recently took a closer look at the merits of partnering to reduce risk while protecting the bottom line.
At its heart assessing vendor risk is an operational and data-driven operation. Your process can only be as effective and efficient as the scope, currency, and accuracy of your information. Equally important is a consistent, clear, and actionable third-party risk management reporting framework. That said, there is no need to “reinvent the wheel” every time you are faced with a new or updated third-party risk assessment. When you have a centralized system that automates tasks and eliminates unnecessary duplicative efforts, you can save valuable time and resources while taking your third-party risk assessment program to the next level.