• Poornachander Kola

The Vendor Risk Management conundrum

Updated: Jun 14, 2020

Every modern organization relies heavily on the support of third-parties for their day to day operations. The third-party service providers or partners are critical to the functioning of the business and are employed as software developers, marketing agencies, lawyers to maintenance/housekeeping services.

The third -parties are expected to add value to the business by boosting the efficiency to the daily operations. The ever-growing business relationships by the organization introduce a profusion of the new risk and compliance challenges. The complex business relationship between the third parties and the organizations highlights the third-party risks and high-profile breaches reiterating the fact that organizations are strong as their weakest link.

Organizations look to incorporating governance, risk, and compliance (GRC) technology into their security processes to help manage third-party risks.

We will look into closely the third-party risk and how with GRC technology we can solve the challenges with third-party risk management.

Fast Response

Risk needs to be identified and managed fast and is possible through continuous vendor security monitoring. For example, when a new vulnerability emerges, the GRC solution pinpoints which vendors were potentially vulnerable. Organizations could initiate follow-up vendor information requests from their GRC solution, track status, and log remediation steps.


A primary step for a GRC program is to have an inventory of processes and metrics. A complete inventory is building “asset maps” of your organization’s and vendors’ IT systems.

In order to analyze and calculate risk, GRC solutions require complete information on active and emerging threats to each third-party organization. Challenges arise when internal data is out of date or incomplete, third-party questionnaires completed by third parties themselves are piled up, prone to error, and inherently biased. A top IT services firm was not able to know a security issue for months before it was discovered and it took months after to actually report the security issue. Organizations can gather intelligence on risks to infrastructure, with references to threat and attacker activity on the dark web, domain abuse, IT policy violations for a more complete view of the cyber risk associated with third parties.


In surge in cloud adoption, the organization is flung exposed to a wider risk hiding behind the trenches, the fourth-party risks. For example, a vendor might use Google or Oracle cloud and GoDaddy to provide services to the organization. It would be prudent to identify the security not only of the vendors but also of the vendor's suppliers(Fourth-party).

Integration of the fourth-party to the GRC program and systems, continuous vendor monitoring solutions bring transparency and granularity highlighting the performance gaps.

Relevant Insight

Organizations are trying to really know the security performance of the third-parties through attestations and survey questionnaires. Organizations now question the veracity of using attestations when third-parties seem to be above average in their security performance.


With the ever-increasing dump of information on cyber threats, regulatory compliance, and third-party questionnaires, it becomes difficult to prioritize risks and focus on the remediation/ response efforts.

Real-time risk scoring with actionable threat intelligence integrated into the GRC system can make fast and informed decisions to prioritize, contain, and mitigate threats.

Strengthen Visibility into Third-Party Risks and Compliance with ServiceNow

ServiceNow Vendor Risk Management application enables you to automate and streamline oversight of vendor relationships with a comprehensive process to identify, assess, mitigate, and monitor third-party risks. It also enables the organization to manage compliance, track performance, conduct audits, and manage issues.

The module helps to smoothen the third-party information gathering, due diligence, onboarding, real-time monitoring, risk, compliance, and control assessments. It also helps in assigning tasks and documenting interactions with third parties. Through the Vendor Risk Management app, organizations will have visibility into third-party relationships for making informed business decisions.

Without the right tools, it can be difficult for organizations to gain the visibility they need to monitor vendor due diligence. ServiceNow’s Vendor Risk Management provide insights into vendor security posture, helping organizations identify potential risks to their business. Vendors are assessed across multiple groups of security risk factors and given a risk rating so that you can easily understand their risk level. Calculating risks also highlight areas that can be improved within your vendor ecosystem, allowing you to quickly identify and remediate potential threats.

As more organizations work with third-party vendors to drive business, having access to a centralized governance & security platform ensures that you can maintain financial and reputational stability without sacrificing operational efficiency.

28 views0 comments