The Secret Ingredient for Effective Vendor Risk Management


Marc Lotti

Publish Date




  • Cybersecurity

Just a few years ago, companies ran their own payroll, benefits, recruiting, marketing, and mainframe departments. But times have changed. In the current platform economy, almost every aspect of a company’s operations can be outsourced efficiently. The result is that companies interact with countless vendors daily.

But this change is a double-edged sword – while it increases efficiency, it also significantly increases risks from cybercrime. Companies now face an unprecedented level of vendor risk.

Today cybercrime is everywhere, impacting businesses and individuals across the globe. High-profile data breaches stemming from security lapses at the vendor have proven that a vendor’s cyber risk becomes the client’s cyber risk. Businesses today must establish an effective vendor risk management program to protect their business, clients and employees.

Yet things are not always that straightforward. Conducting a vendor risk assessment efficiently and cost-effectively in-house is anything but simple. And relying on yet another vendor – a software as a service (SaaS) provider specifically designed for third-party vendor risk management – is often insufficient.

The Woes of In-House Vendor Diligence

Companies that recognize the need to conduct vendor due diligence often first attempt to do so in-house. They set aside time, people hours and funds to get the job done. In the end, however, they find themselves beyond frustrated.

  1. Time-consuming work – An annual due diligence review of a single vendor can take 12 hours or more, depending on the depth of the review and type of service the vendor provides. To obtain a truly accurate and contextual profile of risk, a review must consider not just the vendor, but its service sector and the service itself. There is no shortcutting any part of this process; a thorough and accurate review is essential for identifying the risks unique to the relationship between a company and its vendor.
  2. Staff resources – As if this weren’t burdensome enough, the drain on manpower is significant. Staff are taken away from their normal duties to perform work that is not in their realm of expertise – their time and expertise could be better used elsewhere. Due diligence documents must be scoured for adequate scope and control, not to mention the follow-up on missing answers and requests for clarification – all of which are a tremendous drag on productivity.
  3. Increasing vendor burden – At the same time, the vendors themselves may be overwhelmed by all the requests they receive. Imagine the time and resources required to answer a vast variety of questions from possibly thousands of clients. Doing so can draw their attention away from providing services at the quality and vigilance their clients deserve.

Considering all of this, it’s no wonder the third-party vendor risk assessment process is rife with inefficiencies, frustration and, most importantly, missed risk indicators.


Why Software Alone is Not Good Enough

Some companies believe this problem can be solved by a SaaS-based vendor risk assessment solution. After all, shouldn’t technology eliminate the frustration of manual diligence? Shouldn’t it speed up the process?

Simply put, these solutions cannot capture the full range of vendor risks present. Essentially, these solutions amount to an automated series of questions, sometimes with default risk categorizations, but not much more. They don’t provide the critical thinking required to “peel the onion” and perform a deep-dive analysis of vendor responses.

And on the vendor side, these solutions provide no relief at all. Vendors still need to answer the same questions, again and again, from client after client. They’re still distracted from providing their core services. They’re still tempted to provide glossed-over responses that hardly benefit the process in the long run.

The Secret Ingredient? People

The real solution to effective vendor management must include a key element: people. Specifically, people empowered with the knowledge and expertise of the vendor risk management process who employ the right tools to aid all sides in the process.

ACA’s vendor management outsourcing service (VMOS) is managed by a team of information security risk analysts who can address all pieces of the puzzle: the people, the process, and the technology.

VMOS is a people-powered clearinghouse which offers risk management professionals:

  • An independent and centralized platform for managing vendor risk.
  • Standardized processes, Smart DDQs with the ability to monitor risks almost hands-free, and a path for documenting and remediating outstanding issues – all in one convenient place.
  • A broad knowledge base with coverage against well-respected control frameworks (e.g., CIP, CIS, COBIT, ISO, etc.) and against regulatory mandates (e.g., FCA, FERC/NERC, FINRA, HIPAA, GDPR, etc.), making it one of the most robust relational control and compliance databases available.
  • A streamlined process with accurate risks that are ranked meaningfully and are published for clients to review, override, and accept.
  • A platform utilized by cybersecurity and third-party risk specialists that hand-selects appropriate libraries to construct questionnaires, personally send reminders, and evaluate responses with experienced, critical perspective.
  • A process run by humans. It is led by people who specialize in vendor risk management, understand the right questions to ask, and have the know-how to go beyond the surface to get real, meaningful responses.

The benefits are immense to both clients and vendors:

  • Vendor due diligence is streamlined. The clearinghouse concept accelerates client due diligence because the vendor has answered most of the questions already; any incremental changes or new questions take very little time to process.
  • Vendor management costs are reduced by up to 67.5%.
  • Diligence time is reduced from an average of 12 hours to an average of 30 minutes.
  • Vendors are no longer overwhelmed. Now they can answer and manage Smart DDQ™ responses much more efficiently and accurately and don’t have to respond to thousands of client inquiries.
  • People (VMOS staff) provide much more effective results. They can manually probe into risk areas that clients with limited resources do not have time, and possibly the expertise, to do.

The Right Solution to Manage Vendor Risk

Gone are the days when companies handled all their operations in-house. In this complicated business world, using trusted vendors is essential. But with increased efficiency comes increased risk – assessing the security of those vendors is essential.

Doing that entirely in-house is inefficient, costly and ineffective. Solely relying on software as a solution doesn’t do the trick either.

The key is a human-centered approach that combines expert diligence professionals powered by a vendor management clearinghouse system. Using that approach gives companies the true secret to effectively managing third-party vendor risk.

How We Help

ACA’s vendor management outsourcing service (VMOS) provides a combined white-glove service and technology solution that allows your firm to offload the vendor due diligence and risk assessment process. Our team of experienced information security risk analysts can administer due diligence questionnaires (DDQ), analyze DDQ responses, identify vendor risks, and report on results so your company can focus on more strategic tasks. Our tailored DDQs include over 300 questions and are customized for each vendor type to provide an accurate assessment of possible risks. Our service also includes a vendor management platform that allows you to track progress and view findings.

For more information, contact or your ACA consultant.

Vendor Management Resources

The following ACA resources are available to help you navigate the complexities of vendor risk management:

About the Author

Marc Lotti, CGEIT, PMP, is a Partner at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Prior to ACA’s acquisition of the firm, Marc served as Chief Operating Officer of Aponix Financial Technologists, which he cofounded. He invented and funded UFlexData, a turnkey cloud IaaS platform for SMBs, while in a leadership role at Mandragore, a boutique consultancy firm he founded. Marc has had a notable career in financial technology, risk and governance, having worked for Goldman Sachs, Merrill Lynch, American Express and Fuji Securities, among other financial firms since the early ’90s.

Marc earned his Bachelor of Arts degree in Economics from Stony Brook University and his MBA from the Thunderbird School of Global Management. In addition, he is a Project Management Professional (PMP®) and certified in the Governance of Enterprise IT (CGEIT).