How to Remove the Pain from Vendor Due Diligence

Vendor risk management is not easy. If your role involves reaching out to vendors for security due diligence, you’re probably nodding your head in agreement vigorously. If your company doesn’t have a dedicated resource and you’ve been tasked with the job, you might be scratching your head nervously, or possibly pulling your hair out. There’s a lot of pain involved.

The Pain of Third-Party Risk Management

The process of performing vendor due diligence takes hours and hours. For dedicated third-party risk management personnel, the process is detailed and painstaking, and there’s never enough time to do all that has to be done. For staff who’ve been “volunteered,” it typically takes over 12 hours to perform diligence for just one vendor, time taken away from regular responsibilities (which typically do not simply disappear).

It’s not easy for employers either. They still have to make sure core work is being done. They have to support employees doing difficult, if not unfamiliar, work with a lot at stake. And they have to make sure the process doesn’t eat voraciously into the budget. Some companies quote the cost for processing a vendor due diligence questionnaire (DDQ) in the $20,000 range. That’s for one vendor!

And if you’re that one vendor, woe to you as well. You’d rather provide your core services than spend time answering questions – those same questions, again and again, from all your clients.

The Pain of Not Doing Third-Party Risk Management

Yet the pain of not doing thorough third-party risk management is even worse. Breaches stemming from third-party failure are among the most common and expensive of all security breaches. Recent reports have shown that for large enterprises, the top five breaches involved targeted attacks stemming from third-party access (with consequences of over $1.10 million), while for small to medium businesses, incident costs stemming from third-party-related breaches typically reached over $110,000.

The cost of breach recovery can likewise be staggering, averaging from $120,000 to $1.23 million per breach. Not to mention the regulatory and reputational costs.

The Vendor Management Pain Relief Solution

ACA’s vendor management outsourcing service (VMOS), provides a better way. ACA's VMOS acts as a clearinghouse for managing vendor risk. It provides firms with standardized, streamlined processes, “Smart DDQs^™,” with the ability to monitor risks almost hands-free, and a path for documenting and remediating outstanding issues — all in one centralized platform.

ACA’s vendor risk management clearinghouse is run by a team with vendor risk management expertise that understands the right questions to ask and knows how to get beyond the surface to achieve real, meaningful responses. This team takes responsibility for managing the entire due diligence process, freeing clients from pursuing vendors, and vendors from answering the same questions thousands of times.

The benefits are immense:

• Diligence time is reduced from an average of 12 hours to an average of 30 minutes.
• Due diligence is streamlined, because the vendor has answered most of the questions already, so any incremental changes or new questions take very little time to process.
• Vendor management costs are reduced by up to 67.5%.
• Results are more meaningful, with ACA's VMOS experts knowing how and where to probe for accurate responses and risk categorization.
• Diligence pain is gone. Clients can focus on their work. Vendors can focus on their work. Regulators are satisfied. Companies are more secure.

Vendor Risk Management Clearinghouse: Removing the Pain From Due Diligence

The pain of vendor risk management due diligence is real. Companies spend countless hours and money chasing vendors for responses, and there’s never enough time to do it all. Vendors spend countless hours answering the same questions from their many clients and are tempted to gloss over or avoid responses. Yet the financial, regulatory and reputational costs of breaches stemming from third-party diligence failure are even more painful to bear.

ACA's VMOS provides an effective solution to all that pain. Its independent and centralized platform provides firms with standardized, streamlined processes. It slashes time and cost. Its world-class team of analysts lets you hand over the burden of high-quality reviews at an otherwise unattainable price point.

So, tell your employees to breathe a sigh of relief. Those dedicated to third-party risk management can nod their heads with satisfaction at having the time, resources, and help to get the job done right. Those previous “volunteers” can get back to their regular jobs and leave their poor hairlines alone. With ACA's VMOS, the pain of vendor risk management has been completely removed.

How We Help

ACA’s vendor management outsourcing service (VMOS) provides a combined white-glove service and technology solution that allows your firm to offload the vendor due diligence and risk assessment process. Our team of experienced information security risk analysts can administer due diligence questionnaires (DDQ), analyze DDQ responses, identify vendor risks, and report on results so your company can focus on more strategic tasks. Our tailored DDQs include over 300 questions and are customized for each vendor type to provide an accurate assessment of possible risks. Our service also includes a vendor management platform that allows you to track progress and view findings.

For more information, contact info@acaaponix.com or your ACA consultant.

ACA Vendor Management Resources

The following ACA resources are available to help you navigate the complexities of vendor risk management:

• Webcast: Vendor Risk: Due Diligence, Scaling, Analysis, and Ongoing Oversight
• Case Study: ACA's Vendor Management Outsourcing Service for a Global Private Equity Firm
• White Paper: Small Banks, Big Regulations: How Credit Unions and Small Banks Can Use a Value Approach for Third-Party Vendor Risk Management
• Blog: Taking Control of Vendor Risk: A 6-Step Approach
• Blog: The Team Approach to Managing Vendor Risk

About the Author

Marc Lotti, CGEIT, PMP, is a Partner at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Prior to ACA’s acquisition of the firm, Marc served as Chief Operating Officer of Aponix Financial Technologists, which he cofounded. He invented and funded UFlexData, a turnkey cloud IaaS platform for SMBs, while in a leadership role at Mandragore, a boutique consultancy firm he founded. Marc has had a notable career in financial technology, risk and governance, having worked for Goldman Sachs, Merrill Lynch, American Express and Fuji Securities, among other financial firms since the early ’90s.

Marc earned his Bachelor of Arts degree in Economics from Stony Brook University and his MBA from the Thunderbird School of Global Management. In addition, he is a Project Management Professional (PMP®) and certified in the Governance of Enterprise IT (CGEIT).