October 11, 2011
Forrester's Security and Risk Management clients often describe the frustration they feel when they are not included in important initiatives until after decisions have been made. Lately, this situation has been especially pronounced among decisions to enter partnership agreements based on service, performance, and cost considerations… with risk management only brought in later to identify and mitigate potential points of exposure.
At the same time, Forrester's Sourcing and Vendor Management professionals find themselves facing their own challenges when it comes to managing the risk of partner relationships. In a Q3, 2011 suvey of 575 Sourcing and Vendor Management professionals, top concerns related at "X-as-a-service" relationships included the lack of recourse if a vendor fails or goes out of business, the lack of a clear way to assess risk of a third party, and inability to manage how providers are handling data. ( Source: Forrsights Services Survey, Q3 2011)
In order to bridge this gap, Security and Risk Management professionals need to deliver a streamlined way to insert risk identification, analysis, and evaluation steps within their organization's existing vendor management lifecycle. Forrester customers who have taken this approach – for example, by introducing short, 10-15 question surveys to determine whether more detailed vendor risk assessments are warranted – report better oversight of vendor risk and better involvement in the decision making process. In some cases, Security and Risk Management professionals have even reported casting a decisive thumbs-down vote to block a new vendor contract because it represents unacceptable risk.
I will be publishing a report describing these and other best practices later this quarter, and I will be presenting this information at Forrester's upcoming Security Forum, November 9-10 in Miami. With a theme of protecting the extended enterprise, this event will also include relevant sessions such as Remote Control: Managing Risk By Auditing Your Supply Chain And Cloud Provider, delivered by my colleague Andrew Rose.
As always, we welcome your thoughts and questions on the subject. Have you seen any unique solutions to deal with the challenges described above?