Managing Vendor Fraud: A Q&A With Protiviti’s Paul Kooney and Dun & Bradstreet’s Tom Cosgrove

Senior-level executives should look to their vendor risk management program to ensure their risk tolerance is clearly defined, aligned with their organization and utilized in reviewing vendors periodically.


A majority of organizations will exit or change (de-risk) relationships with vendors due to heightened risk levels, according to a recent study released by Protiviti and the Shared Assessment Program. The annual survey also found that boards have not yet fully entrenched themselves in managing vendor fraud and security.

FEI Daily spoke with Paul Kooney, Managing Director, IT Security & Privacy Management at Protiviti and Tom Cosgrove, Global Head of Product Strategy, Supply & Compliance at Dun & Bradstreet on the results of the 2017 Vendor Risk Management Survey, the increase in de-risking, and how boards can become more engaged with cybersecurity risk.

FEI Daily: Explain de-risking as it relates to senior-level financial executives across industries.

Paul-Kooney-Protiviti-NY.JPGTom Cosgrove: 
When companies refer to de-risking their portfolios it often refers to a process whereby they evaluate the risks at the portfolio level and then at the individual partner/client/vendor level and then attempt to “offboard” entities which are not core and are of high risk or when critical relationships are flagged to be high risk make plans to layer in a replacement vendor/supplier that has a lower risk profile.

Paul Kooney: Over half of the respondents to our survey indicated they would be "de-risking" or off-boarding high-risk vendors. That’s a significant number.

In our experience, the majority of organizations do not have a mature off-boarding or termination process to exit vendor relationships. Senior-level executives should look to their own vendor risk management program to ensure their risk tolerance is clearly defined, aligned with their organization and utilized in reviewing vendors periodically. Upon reviewing a vendor, if the company determines that terminating the relationship is the best course of action, the organization’s process should be clearly outlined and documented.

FEI Daily: Why are so many companies planning to de-risk? 

Kooney: The increase in de-risking can be attributed to a few factors, including the seemingly weekly occurrence of high-profile breaches coupled with an influx of new industry regulations that have put third-party risk in the spotlight.

The trend is also a function of the increasing maturity of an organization’s vendor risk management program and a better understanding of the information security risks associated with specific vendors.

Cosgrove: This is a prudent way to not only be in compliance against global regulatory drivers for ABAC and KYC/KYV but also a way to build in defensible controls and to manage your relative risks. Third party relationships are constantly evolving and must reflect the realities of our ever changing global environment and the corresponding changes to the regulatory environment. Companies need to take a risk-based approach and that it not one-sized fits all, it must be tailored to the company’s internal policies and the environment in which they operate. By monitoring these third party relationships against various changes to risk, firms can then take proactive measures to manage risks and to potentially de-risk the portfolio.

FEI Daily: What are the high-risk indicators in those third party vendor relationships?

Cosgrove: These are often based on the industry that the third party is in (cyber security for example), where they operate geographically, their relative health in terms of viability and likelihood to declare bankruptcy, what services they provide, the importance of their products/services within a supply chain, the size of the financial relationship, etc. Other risk indicators include exposure to government or state owned enterprises, the criticality of the company within the specific supply chain of the company, sub-tier exposure and ultimately the company’s internal risk appetite and policy.

Kooney: High-risk indicators vary from industry to industry and company to company. Each company's risk tolerance is unique, which translates into different risk indicators in their vendor risk management programs.  In many cases, we see companies using different combinations of indicators, such as spend, financial stability, reputation, legal/contractual agreements, as well as IT and security posture.

FEI Daily: What are the biggest changes you’ve seen through the years of doing the study?

Kooney: In comparing this year’s survey results with the 2014 results, we see a tremendous maturity in the categories of “skills and expertise” and “tools measurement and analysis.” These are often the first categories to show improvement after companies make significant investments in their vendor risk management programs.

We see the same trend with our clients. Many have made significant investments in training their vendor risk management staff through formal programs, such as the Shared Assessments Certified Third Party Risk Professional (CTPRP) program and additional internal training.

We have also seen a great number of our clients adopt formal governance, risk and compliance tools to replace manual spreadsheet and Word documents for their vendor risk assessments. These tools, coupled with risk intelligence feeds for both financial and information security, have helped many organizations further automate their vendor risk management programs, leading to more efficient and timely assessments and an increased ability to handle larger volumes of assessments annually.

FEI Daily: Did anything surprise you about the results?

Kooney: Now in our fourth year of conducting this study, we’re developing a better sense of how maturity is changing against the backdrop of an increasingly difficult risk environment.

We were not surprised to see the very measured increase in vendor risk management maturity on an overall basis. That said, we have been impressed with how Insurance/Healthcare Payers as an industry have made such a huge leap in maturity from 2014 to 2017. This industry is now on par with, and in some cases, more mature than the Financial Services industry. We believe this can be attributed to the scrutiny placed on third parties from renewed regulation enforcement in the healthcare and insurance industry coupled with their industry’s focus on the risks posed by sharing access to their data network with external parties.

Cosgrove: Given the criticality of a strong risk governance program, we were surprised that there had not been material improvements to the maturity model as judged by the survey participants. We were also surprised that the vendor exposure to cyber security had not bubbled up to the level required to keep pace with some of the breaches in the news. 

FEI Daily: How can boards become more engaged with cybersecurity risk?

Kooney: Boards have become more engaged on the topic of cyber risk already, just not at the level of maturity we see with other areas of business operations (e.g. financial, IT, audit, etc.). The results from Protiviti’s 2017 survey suggests that boards are more focused on their internal security posture than on cybersecurity at their external third parties/vendors (the survey reported a 13 percent differential). We view this as a significant issue – many data breaches take place because of weaknesses in third-party security hygiene.

Boards may require additional education to understand that cybersecurity risks extend based (among other things) on network connectivity, which does not stop at an organization’s physical boundaries. Boards should also be aware of the high correlation between board involvement in and understanding of cybersecurity issues and risk practice maturity, something that our last two studies have confirmed. It is becoming clearer by the frequency of cyber events and regulatory emphasis (NYDFS, GDPR, FFIEC Handbook, and privacy laws) that companies are being held accountable for information security throughout their ecosystem. Continuing education at the board level should be a top priority and should stress the oversight of vendor-related cyber risk.

FEI Daily: Any major takeaways for executives for 2018?

Cosgrove: Board engagement and setting up the appropriate governance model and stake holder participation remains core to any successful third party risk program. This allows for the cross functional collaboration that is critical for companies to have access to critical data that sometimes lives in silos across the enterprise. Board engagement allows for these organizational silos to be knocked down.

Cyber security and cyber threats are on the rise and companies need to make sure that their programs evolve with these increasing threats. The ability to analyze changes to risks via a consistent risk assessment framework in near real time is critical. Seems from the survey respondents that good strides have been made here but firms can’t rest on their laurels. The regulatory regimes are driving further action and the risk are becoming increasingly complex so firms must continue to evolve along with the changing nature of risk.

Kooney: The three key recommendations based upon this year's survey results are to undertake an arm’s length evaluation of your vendor risk management program's effectiveness, focus on your vendor’s vendors, and educate your board about the importance of good vendor risk management.