I went to the RSA conference once — it was really busy and hearing from my buddies at the front, it’s now busier than ever. So much for the boycott, eh?
A lot of my security buddies are at RSA this week, and are broadcasting the buzz back to the rest of us here at Gartner. One piece of gossip that got my attention was shared by Erik Heidt. He said that many of the financial services attendees are talking about the FS regulators ramping up vendor risk oversight requirements on FS firms. Third party risk management is the one area where I do get involved in security — I always say I’m a risk management analyst whenever anyone asks me a really tricky security question.
Third party risk management is pretty broad; it covers downstream risks associated with customers and prospects, business partners and resellers — and downstream is where much of the fraud, bribery and corruption comes into play — and it covers upstream risks associated with suppliers in manufacturing, mining, oil and gas, retail and other supply chains, plus the risks associated with vendors that provide business process outsourcing, information services, or manage IT assets — these vendors can range from a major outsourcer to a visiting nurse. We group these vendors that somehow touch information which you own or for which you are accountable into VRM — it’s focused mostly on the logical supply chain, whereas supplier risk management focuses on the physical goods supply chain. For more on this, I’ve included at the bottom of this post our working definition for the upcoming Magic Quadrant for Vendor Risk Management, which is slated for Q4 this year.
Anyway, is the buzz about VRM at RSA right? — yes. Ever since late October when the Office of the Comptroller of Currency published guidelines saying that VRM should be part of the ERM program, we have seen an uptick in inquiry on vendor risk management. I expect other FFIEC regulators — FRB, FDIC, NCUA and CFPB — to continue raising the bar as well.
Now there are a couple of immediate problems with complying with the OCC guidelines — first they make the assumption that FS firms have ERM programs. I’m sure most do in name, but frankly, in practice many don’t. Secondly, most FS firms don’t have a vendor management function, and if you don’t do vendor management, then how can you do vendor risk management?
To deal with the onslaught of client interest, we’ve been ramping up on VRM here at Gartner. First we formed a dedicated vendor management team, headed up by Linda Cohen, and including my good friends Helen Huntley, Chris Ambrose, and Gayla Sullivan. You may remember that Helen and I led a special report on VRM in 2009 when the first bubbles of VRM began to appear in the risk management pond. Now the pond is in full boil, and we’re worried about a steam flash!
By the way, it’s not just FS clients driving the demand — healthcare and E&U are getting into this too in a big way, and no industry vertical will be left behind. You can thank cloud computing for that!
We’re getting behind the demand for VRM research in a big way. Very soon, you’ll see a note from Kristian Steenstrup and Gayla Sullivan on VRM for operational technology. Looking ahead, Chris Ambrose and I are working on updating Gartner’s Simple Vendor Risk Management Framework. There’s nothing wrong with it now, and it’s very popular, but we want to add more detail on sources of risk data, and key risk indicators for VRM.
Chris, Gayla and I are also working on the new VRM magic quadrant, and we’re starting to track services for VRM. This is in addition to the work that other analysts like Debbie Wilson, Ray Barger and Noha Tohamy are doing on supplier risk management, Jay Heiser and Rob McMillan on VRM standards, and Khushbu Pratap on auditing vendors. And I’m also working on some of those downstream risk issues — expect a note on FCPA solutions in Q2.
VRM Technology Definition
Vendor risk management (VRM) is the process of ensuring that the use of third-party service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. VRM solutions support enterprises that must assess, monitor and manage their risk exposure from third parties that provide IT products and services, or that have access to enterprise information.