GRACE for Comprehensive Vendor Risk Management

Easy due diligence and proper ongoing monitoring of vendor processes

With most organizations outsourcing their business processes, vendor risk management has become one of the key risks today

With the large scale use of outsourcing of critical business processes and services , IT infrastructure and work-from-home model, cyber security and ransomware attacks has gone up in leaps and bounds compromising customer data and leading to misuse and misappropriation of bank accounts and other sensitive information.

Privacy of information, vulnerability to cybersecurity attacks and business continuity of vendors are primary risks. Lack of proper policies, procedures and training of vendor staff to manage the responsibilities of compliance within the vendor organization, can also create a direct threat to the firm that outsources the process to them.

Regulators are warning firms about the many risks they see in outsourced entity operations and will hold the organization responsible in case of violations

It has become imperative for organizations to have a comprehensive strategy for vendor due diligence at the time of onboarding as well as periodic monitoring of vendors to ensure that data security management, privacy management and business continuity as well as incident management if any are handled well within each of their vendor firms

Recent News

High State of Vendor Risk

Business organizations are now heavily relying on their outsourcing entities to bring down costs and offer efficient customer service in a lot of key processes. As a result key processes in organizations are being run by vendors.

The biggest vendor risks are privacy of client information, security management, business continuity and process adherence to compliance requirements.

Though the outsourced service provider is responsible for providing the service, the ultimate responsibility for managing risk resides with the organization. With economic conditions, vendors and their financial status can also be of concern.

Mandated oversight, detailed regulatory reporting, frequent and rigorous regulator examinations and heavy fines for non-compliance drive the markets. With dependence on vendors to manage the data for these areas and prove compliance is also part of the organization's own responsibility

Client Data Privacy and Business Continuity

Large number of outsourced vendors now manage key systems and client data for firms. This has resulted in a lot of client information being with vendors and open to compromise in case the vendors do not have good security management practices or trained staff that understand the importance and follow the right processes.

Business continuity at these vendor organizations could also be challenged from climate risk, economic downturns and geo political situations. Proper Business Continuity Plans and periodic Business Continuity Drills to ensure continuation of business in case of incidents are a must to verify for Critical vendors

A good vendor due diligence process, a periodic oversight monitoring establishing proper contractual agreements to ensure compliance are very important to identify risks in their process and prevent non-compliance to regulations.

Regulators are increasingly warning that vendor managed systems are still the responsibility of the organizations and incidents and violations in vendor organizations will be attributed to the firm for fines.

GRACE Can Help You Monitor Vendor Risks

GRACE Vendor Risk Management helps you build out your database of all vendors, those selected , rejected active and inactive, with information on the locations, contacts, contracts, SLAs, key service level expectations, contract expiry dates and reputation notes to manage your vendor relationships. Vendors can also be classified based on their criticality to business and size of the vendor. Risk scores are assigned from vendor due diligence as well as periodic monitoring and will be available against each vendor

Vendor Due Diligence can be conducted with structured questionnaires that can derive out of any preferred frameworks like NIST, CMMC and others as well as free format questions. Vendor Portals can be set up for contact people in vendors for them to answer the vendor questionnaires sent to them online. Vendor questionnaires can also be answered by the Vendor Due Diligence group.

Findings from the due diligence process can be risk rated along with comments , supporting documents and analysis and each finding can be assigned a risk level. Where large risks are seen, they can be added to risk registers or issue tracks for mitigation if the vendor gets included as an active vendor.

Calendars can be set up for periodic vendor risk monitoring and functions can be assigned to vendor due diligence group personnel or sent to the vendor at their portal. Alerts can be sent to vendor contact owner / alert owner to record data and documents including BCP plans, Security Postures, SoC2, Incident response plans and others. Risk levels can be assigned to each finding for risk score and will be reported to the risk dashboard

Vendor Dashboard can provide real time status, criticality, risks, monitoring calendars and status on each vendor with easy drill downs on all information

Additional module from GRACE IT Risk Management like Incident Management, Asset Inventory can be included and the Vendor Portal functions enabled to keep the Asset inventory up-to-date as well as allow vendors to report incidents and their mitigation to the system

GRACE Vendor Modules

Identify Vendor Risks Early to prevent Violations and Risks

Build your Vendor Database

  • GRACE allows you to build a good oversight and continuous process for monitoring all your vendors by building your vendor database
  • It helps you keep and manage information on each of your vendors, their status, locations, contacts, services,Contract documents, Service Level Agreements, Reputation in the market and create a risk score for them
  • It helps you identify risks in their process and prevent non-compliance to regulations like GDPR, California Privacy Act is necessary for all organizations.
  • Keep this information updated for easy access

Conduct Vendor Risk Assessments

  • GRACE can help you set up various standardized questionnaires that can be sent to various types of vendors for a comprehensive due diligence on the vendor that can help you identify the maturity status of their security management process, client data management, business continuity and disaster recovery process as well as their adherence to the compliance requirements of the organization.
  • Calendars for assessments can be set up and alerts for follow up can be received.
  • Risk Assessment Questionnaires can be sent Online to collect information
  • Findings can be analysed and risks recorded based on risk level to the organization

Establish Vendor Management Policies and Procedures

  • The Organization’s Compliance team can establish and manage vendor Management policies and procedures including review, release and versioning
  • Through online attestation, the policies and procedures group can ensure all vendor management staff are aware of the required expectations of the organization from its vendors.

Conduct Ongoing Vendor Monitoring

  • GRACE can help you set up periodic monitoring calendars where risk questionnaires can gather information on their business continuity, security practices, incidents and others to identify early warnings of compliance violations

Track Incidents

  • GRACE provides online forms for Incident reporting for Vendors
  • When Incident information is received through the alert, mitigation tasks have to be set up and managed to closure. GRACE enables these functions and helps monitor vendor incidents through the Incident Dashboard

Vendor Risk Management

  • Identify high risk areas in Vendor processes from the risk assessments and periodic monitoring
  • Create and assign risks and issues to staff to define mitigation, and create tasks for follow up with the vendor to ensure the risk is mitigated
  • Enable risk and task status reporting by responsible person into the GRACE repository to keep track of mitigation status Use the Vendor Risk Dashboard to effectively manage across vendors.

Use Vendor Dashboard to Monitor High Risk Vendors

  • The GRACE Vendor Dashboard enables the organization to quickly identify vendors by their level of risks and incidents and build strategies to ensure vendors risks are mitigated or alternate vendors looked at.
  • The Incident dashboard allows monitoring of incidents, their severity and the status of tasks for incident closure.

Online Portal for Vendors

  • GRACE can provide secure access to vendors to report their incidents, answer risk assessment questionnaires to help close monitoring.

Enormous Cost Savings

Enormous costs savings in unwanted labor for audits and examinations, avoid regulatory fines, legal costs, reputation risks and empowers the organization in managing risks.

The Great Value You Get from Using GRACE Vendor

Identify Vendor Risks Early to prevent Violations and Risks

Comprehensive monitoring of Vendors

Ensuring an organized, ongoing and comprehensive review of vendors can help identify risks and manage corrective action early

Risk reporting becomes Online and Real time

With an integrated web based access anytime anywhere, there is no need for risk reports to be generated on vendors to present to senior management.

Keeps Vendors on Track

Diligent followup and identification of risk forces the vendors to deliver safety and security of information they manage and improve their processes

Regulatory examinations can be handled with confidence

The GRACE system becomes the proof of vendor risk management practice in the organization to face regulatory examinations

Clear Accountability

By making risks visible and with the ability to drill down to the status of mitigation, accountability for vendor risk management can be established and monitored

Organization Ownership of Data

Organizations suffer when key risk and compliance staff leaves. The information is scattered if maintained solely by individuals and are lying on disks in various forms. GRACE becomes the single central repository of documents, data and processes enabling continuity even when key people leave the organization

Early awareness of Risk Trends

Trends of risk in vendors can be very quickly identified with visual analytics , dashboards and drill downs to prevent it from becoming a high risk to the organization

Single Source of Truth for the Organization

Will all documents, data, reviews, audit trails, analytics and easy to use queries and reports, GRACE becomes the central repository of the Single Source of Truth on vendors for the organization.

Enormous Cost Savings

Enormous costs savings in unwanted labor for audits and examinations, avoid regulatory fines, legal costs, reputation risks and empowers the organization in managing risks.

Latest News

blank image


Annual Eversheds Sutherland Analysis of FINRA Disciplinary Actions Shows Huge Surge in Financial Sanctions

All information Quoted from the article March 8, 2022 Eversheds Sutherland has completed its annual study of the disciplinary actions reported...