Future of Sourcing - Participatory Compliance http://futureofsourcing.com/tags/participatory-compliance en The Importance of Participatory Compliance with Your Critical Vendors http://futureofsourcing.com/the-importance-of-participatory-compliance-with-your-critical-vendors <div class="field field-name-field-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item even" rel="og:image rdfs:seeAlso" resource="http://futureofsourcing.com/sites/default/files/articles/Participatory%20Compliance.jpg"><a href="http://futureofsourcing.com/sites/default/files/articles/Participatory%20Compliance.jpg" title="Actively participate in anticipatory compliance activities to monitor risk." class="colorbox" rel="gallery-node-1182-yifKKqPmL9U"><img typeof="foaf:Image" src="http://futureofsourcing.com/sites/default/files/styles/juicebox_medium/public/articles/Participatory%20Compliance.jpg?itok=V3eFZSZq" width="624" height="325" alt="Actively participate in anticipatory compliance activities to monitor risk." title="" /></a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"> <p>In a recent interview for a technical blog, I mentioned that I heard keynote speaker former U.S. Attorney General John Ashcroft (at the 2016 Securities Industry and Financial Markets Association&rsquo;s (SIFMA) Internal Auditors Society conference) reference that organizations should prepare to adopt what he called &ldquo;anticipatory compliance.&rdquo; This concept involves outsourcers being able to demonstrate that they are actively anticipating, studying and acting on perceived threats (cyber and otherwise) both internally and with their outsourced business partners. Over the years I&rsquo;ve advised organizations to heed this advice and, in further reviewing the increasing regulatory landscape here and abroad, I&rsquo;d like to further recommend the adoption of what I&rsquo;ve termed &ldquo;participatory compliance&rdquo; particularly when it comes to managing outsourced relationships with your key business partners.&nbsp;</p> <p>Participatory compliance means that not only should your organization adopt the concept of anticipatory compliance, but you should also actively participate in anticipatory compliance activities to monitor the vendor&rsquo;s resiliency to business disruption events.&nbsp;</p> <p>It&rsquo;s important to note that with an ever-changing threat landscape, participatory compliance goes beyond performing periodic risk reassessments and even continuous monitoring of your critical vendors and business units. The vendor must demonstrate its ability to continue to support the vital outsourced business processes in the event of disruptions. Business resiliency should be demonstrated for the many flavors in which disruptions come, such as cyber threats and manmade or natural disturbances. The reason for actively scrutinizing vendor resiliency is that far too often I&rsquo;ve seen organizations perform a simple due diligence activity (usually a one-time risk assessment) and then not put forth the effort to monitor their overall security, privacy and resiliency posture on an ongoing and even continuous basis. For instance, in the U.S., <a href="https://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services/risk-management/ongoing-monitoring.aspx" target="_blank">financial regulators</a> clearly mandate:&nbsp;</p> <ul> <li>Continuous monitoring of vendors to ensure the vendor is actively addressing and working with the outsourcer to anticipate perceived threats, outages, etc.; and&nbsp;</li> <li>Both the outsourcer and vendor perform (and document) &ldquo;plausible and realistic&rdquo; testing.&nbsp;</li> </ul> <p>Additionally, U.S. regulators overseeing multiple industries have alluded to the fact that they&rsquo;re ready to tip the scales by requiring organizations to <a href="http://outsourcemag.com/a-spoonful-of-digital-helps-the-governance-go-down" target="_blank">document evidence</a> of their participation in cyber and business resiliency drills with their key vendors. This is where participatory compliance comes into play.&nbsp;</p> <p><strong>So, what exactly does this mean for your organization?&nbsp;</strong></p> <p>You should inquire with your organization&rsquo;s business units and business continuity teams to understand their resiliency strategies around critical processes, especially those that involve key vendors. Key vendors are those that have been identified during the risk evaluation as supporting your organization&rsquo;s most critical business processes (i.e., the ones that can mean catastrophic losses to your organization in revenue, market or reputation). The resiliency strategies should include: a schedule for testing critical processes and activities and the exercises that the teams will go through; a list of who will participate; pre-determined remediation measures (to the extent feasible); and what reporting will be provided and to whom.&nbsp;</p> <p>If you have any role in <a href="http://outsourcemag.com/minimizing-risk-in-the-outsource-model" target="_blank">third party risk </a>or ensuring compliance to business continuity or <a href="http://outsourcemag.com/node/959" target="_blank">cyber activities</a>, it is recommended that you request the option to participate in those resiliency activities. You should at least have the ability to passively &ldquo;monitor&rdquo; or review the results of their activities once they&rsquo;re complete.&nbsp;</p> <p><strong>Benefits of Participatory Compliance&nbsp;</strong></p> <p>Understanding the benefits in applying participatory compliance to your organization will provide you with a view of the pleasant dividends that can be reaped from this approach.&nbsp;</p> <p>First, participatory compliance allows you to liaise more closely with the business unit and the vendor. This closer relationship management provides a better understanding of what the business process is, the data involved, where the processing is taking place, and whether the vendor is up to the task of supporting them in the event of a disruption and can hit key metrics for resiliency, such as hitting Recovery Process Objectives (RPOs) or Recovery Time Objectives (RTOs). By better understanding the critical processes and the activities involved, and then applying this knowledge in a more focused assessment, you gain greater value enterprise-wide from your ongoing assessments of the business unit-vendor relationship.&nbsp;</p> <p>Second, by allowing a &ldquo;separate set of eyes&rdquo; to witness the exercise, you gain the opportunity to add value to the business unit and the vendor that may reach beyond the limits of the information that lies within internal audit&rsquo;s purview. Historically, both outsourcers and vendors have had the tendency to be hesitant in openly sharing such items with internal audit; however, they may be more open to share such results with vendor assessment teams, often soliciting advice for remediation or assurance that their activities are within the risk control tolerances defined by the outsourcer.&nbsp;</p> <p>And finally, if there were any continuity or recovery issues identified through a previous assessment, participatory compliance allows the business unit (and assessment staff) to gain a new opportunity to track the progress of and close out open issues or observations that may have been encountered during a recent assessment.&nbsp;</p> <p>The concept of participatory compliance is really nothing new; it simply needs to be more actively embraced and better defined within outsourcer and vendor policies and procedures. By embracing, promoting and performing participatory compliance activities, your organization is placed in a better light with regulators and other external assessment bodies. Participatory compliance also demonstrates to your board of directors and relevant C-suites your willingness and openness to work with key business units and vendors in addressing your organization&rsquo;s ongoing concern regarding cyber and other business resiliency threats.</p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/tags/participatory-compliance" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Participatory Compliance</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/third-party-risk-management" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Third Party Risk Management</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/cyber-risk" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Cyber Risk</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/recovery-process-objectives-rpos" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Recovery Process Objectives (RPOs)</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/recovery-time-objectives-rtos" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Recovery Time Objectives (RTOs)</a></div></div></div><div class="field field-name-field-addthis field-type-addthis field-label-hidden"><div class="field-items"><div class="field-item even"><div class="addthis_toolbox addthis_default_style " addthis:title="The Importance of Participatory Compliance with Your Critical Vendors - Future of Sourcing" addthis:url="http://futureofsourcing.com/the-importance-of-participatory-compliance-with-your-critical-vendors"><a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_linkedin"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_facebook"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_twitter"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_googleplus"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_pinterest_share"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_reddit"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_email"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_print"></a> </div> </div></div></div><div class="field field-name-field-region field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Region:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/regions/global" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Global</a></div></div></div> Fri, 25 May 2018 18:22:28 +0000 Tom Garrubba 1182 at http://futureofsourcing.com http://futureofsourcing.com/the-importance-of-participatory-compliance-with-your-critical-vendors#comments