Vendor Risk Management Case Study: How to Gain Control of Third-Party Risk
By Sarah Nord
Identifying and managing risk within your own organization is challenging enough. When you add a diverse array of third-party relationships, the picture becomes exponentially more complex. Vendor risk management (VRM) professionals have the challenging task of uncovering and analyzing risk to prevent another company’s issues from becoming their own.
I recently interviewed Paul Henriques, a director of third-party security, about his company’s forward-thinking approach to VRM. Here’s how he described his business function:
“My team reviews all of our partners to understand their risk posture. We look to see if they have a security program and established policies that align with our own internal standards.”
When Henriques joined his organization, his team was using spreadsheets and manual processes to handle their day-to-day activities. With information coming from many directions, he saw an opportunity to improve efficiency, and he began the search for a better solution.
That search led him to Onspring.
“Onspring allows us to aggregate our partners and manage all associated risks with those relationships. It drives the automation of these processes.”
Henriques team now has a well-managed, well-documented Vendor Management system that allows them to:
- Deliver electronic surveys to third-parties
- Risk-rank and categorize responses
- View a partner’s risk posture at a glance
- Perform annual reviews of partner relationships
The major wins? Control, visibility and self-sufficiency. Henriques summed it up this way:
“Onspring allows us to focus on our core mission of risk mitigation instead of managing the software itself.”
Special thanks to Paul Henriques for sharing his story.