15 April, 2023
Recently I had the pleasure of speaking and attending the 16th GFMI Third Party Vendor Risk Management for Financial Institutions. https://marcusevans.com/conferences/tprmvendor/
This was a fantastic event and I really learned a lot from the people there. We also had many great thought provoking conversation during and after the daily agenda.
In my experience, the last day at a conference has typically been very weak. Many people already left, it’s late in the week and folks are thinking about home and how to get there, and the cleaning crew is breaking down the venue for the next group coming in. This time I was able to stay and attend the last day. I’m very glad I did.
The last two conversations were also incredibly helpful. We talked with Timothy Geishecker from the Federal Reserve Board (Policy Lead). He led a great conversation regarding the issues that FI’s face in the securing of the supply chain. We also talked with Robert Wilkinson, the CEO of Cyber Marathon Solutions.
Several times throughout the conference the idea of continuous monitoring and its use to curb or reduce the heavy lift of traditional assessments was discussed. Earlier in the week, Brenda Ferraro from Wells Fargo brought up the implementation of that idea and the idea that you really only need the delta of the assessment + the continuous monitoring + new requirements. Robert brought up the idea again that if you have a supplier that you continuously assess, why are you annually fully assessing as well.
The implication is that you have a mature enough program to be able to constantly assess (I don’t like the term “continuous” because it gets used to describe quarterly, annual, weekly, or other ongoing monitoring and detracts from the idea of constantly monitoring the supply chain. We should be thinking of it similarly to the way many constantly monitor their in-house systems) and so a one-size fits all annual assessment is largely redundant and therefore of lesser value. It becomes busy work with not much return for the investment.
Self assessments (SOC, SIG, etc) also came up. Several are very tired of that type of assessment as it doesn’t give you a good look at the risk inline with your own risk appetite. Take for example KY3P – seemed a good idea at the time, but the execution has not played out very well. Many have tried to make it work but were unable to get the information they needed. For a variety of reasons. I don’t see them going away but I also don’t see them providing the value they promised, especially for the critical supplier.
One of the bigger issues I see is that companies have to mature their program to the point they can consume that information in a meaningful way. Companies like Mirato are playing in that space – their goal is to help you consume that vast quantity of data and turn it into actionable information.
But you know me. I’m a fan of the basics executed well. Do you have a good inventory? Are you collaborative with your suppliers? Do you have the data to make the decisions you need to make? If not, why not? Let’s focus on the basics while we begin to also look to the future of a working ability to identify and remediate risks in the supply chain.