phallerIn a recent Forrester survey, senior IT professionals ranked “security concerns about giving work to a third party” as their greatest concern about moving into managed services relationships. Surprised?
Although conventional wisdom says that giving vendors end-to-end accountability for a portfolio of applications and services is the best way to reduce risks in managed services relationships, far too many sourcing professionals believe that this end-to-end accountability eliminates the need for due diligence and other governance activities.
What Risk?
Sourcing and Vendor Management (SVM) professionals must engage senior leaders of internal departments to deepen vendor governance when vendors are given higher-risk projects, greater ownership of application portfolios, and access to greater levels of data.
As more system, application, and process ownerships are shifted to vendors, the number and severity of risks increases as well as the value of strong governance. Many vendors contend that due diligence and governance can be a part of their managed services engagement – but these activities are essential to the health of the vendor relationships and should not be outsourced.
Auditors, regulators, and security and risk professionals all have a stake in reducing the risk in vendor relationships, but they need the help of SVM professionals. In particular, SVM professionals must ensure that clear roles and responsibilities for vendors are articulated in the managed services contracts and vendors are held accountable to protect sensitive company, client, and employee information.
Many of the vendor governance activities can only be and will be best accomplished through collaborative efforts with other parts of the organization:
• Disaster recovery and business continuity: The recent partial outage of Amazon’s cloud services platform is a perfect example of why diligence is so critical. The impact of this outage on so many companies is evidence that most companies don’t have adequate or any contingency plans for the work and services outsourced to vendors. Although planning and testing is an essential part of vendor governance, for too many clients, it is still unclear who has ownership of the activity that demands involvement from application and service owners, Disaster Recovery and Business Continuity Planning (DR/BCP) experts, and procurement and vendor managers. There is a natural collaboration with DR/BCP experts, who have less experience with vendors than SVM pros.
• Finance: Concerns over a vendor’s financial well-being should not be limited to times of global economic stress; financial failure is an everyday occurrence. The failure of Axium, parent of Ensemble Chimes Global — a managed service provider of contract labor business — highlights why vendor health assessments are so important.
Axium’s failure left multiple Fortune 500 companies with a group of unpaid contractors despite the fact that these companies had paid Ensemble Chimes Global for its services. Assessing a strategic vendor’s financial viability is an essential part of vendor governance, but it is complicated by several factors: the challenge of finding reliable information on privately held companies, complex financial solvency formulas, the complexity of comparing solvency within global organizations, and the latency of financial information such as 10K filings and Dun & Bradstreet (D&B) scores for public companies. This activity requires a series of ongoing monitoring processes and a close collaboration among finance and procurement and vendor management professionals, who have an opportunity to plug in because financial professionals are less experienced with risk outside of financial statements.
• Enterprise Architecture: Enterprise architects are typically the owners of source code reviews. They set the standards and typically mandate the frequency and circumstances of these reviews but are generally not as experienced in managing the soundness of code developed by outside vendors. Although architects are able to control system and application changes that go through normal change control procedures, this becomes much more complex when companies are buying commercial-off-the-shelf (COTS) software and applications or when vendors are providing software or products that they are hosting, but which contain personal identifiable information about the company’s clients or employees. Updating the enterprise architectural standards is the role of the enterprise architect, but enforcing them requires the involvement of the SVM team.
• Security and Risk: A Vulnerability Threat Assessment (VTA) is an analysis performed by an outside party to define, identify, and classify the security holes (i.e., vulnerabilities) in a computer, network, or communications infrastructure, which goes beyond a source code review. This assessment is done through “ethical hacking,” in which an outside party, playing the role of a white hat hacker, assesses the vulnerabilities by deliberately probing a network or system to discover its weaknesses. This results in a list of weaknesses and an assessment of their potential risk to the company. The need for this type of analysis has existed since companies first started storing sensitive data on systems accessible through their firewalls, and the recent situation at Epsilon is an example of why they are still so important. Security and risk professionals are adept at managing internal systems. SVM can add value by managing ongoing VTA and service-level agreement (SLA) obligations.
The knowledge, sophistication, and abilities of third-party vendors are also increasing, but there is no assurance that all vendors are operating in a manner that protects their clients. To mitigate the risks created by an increased dependency on third-party vendors, companies must take a holistic approach to vendor management. It is no longer just the job of the SVM professional to ensure that the “vendor governance house is in order”; it is everyone’s job. Many companies are now forming vendor management councils, led by VMO or the Chief Procurement Officer (CPO) to help facilitate an enterprise view and management of their most strategic vendors. This is a trend Forrester expects will continue.
Jan Erik Aase is a Principal Analyst at Forrester Research, where he serves Sourcing & Vendor Management Professionals. He will be speaking at Forrester’s Sourcing & Vendor Management Forums in Miami and London in November.
Add comment