Any chain is only as strong as its weakest link and the critical digital supply chains that underpin today’s technology-intensive businesses are no exception. Ovum’s recently published report (see Appendix) on the IT vendor risk management (ITVRM) solution market highlights the growing importance of addressing risk and compliance for enterprises and service providers in this domain. Organizations of all types are increasingly relying on third-party digital services to underpin their key offerings, and therefore have to understand and manage risk relating to vendor relationships (as well as to assure compliance within the digital supply chain).
Risk and compliance insight must extend throughout vendor relationships
Ovum believes ITVRM is of growing importance to enterprises and service providers because the IT services they use and provide are ever more central to achieving strategic objectives, increasing the need for management of the risks related to this area of business operations. We also see greater need for these solutions, driven by the complexity and risk around security and privacy and requirements arising from regulations such as the EU General Data Protection (GDPR).
Most ITVRM solutions combine the elements of procurement "best practice" with a strong risk perspective. Each vendor relationship is typically subject to due-diligence processes and analysis. This usually takes place at the time of the relationship being established, and also periodically during the relationship’s lifecycle, depending on risk factors. The risk perspective can combine assessments of the numerous characteristics of a vendor via publicly available information and questionnaires completed by vendors. Management of this mass of vendor information is one of the main areas where efficiency benefits can be gained from ITVRM solutions.
Increasingly, market intelligence services are also being used to source specialist content for inclusion in risk analysis. These include summarized news information affecting companies’ financial health; security assessments of vendors’ practices, protection, and maturity; and other vendor information relating to areas such as ownership structures (and persons involved), safety credentials, and ﬁnancial performance. Extending this insight into the digital providers on whom their own third parties rely ("fourth parties" and beyond) is also a requirement on which many ITVRM solutions can deliver.
Third-party risk is a long-understood risk type among the many that enterprises typically manage. ITVRM is a focused solution type, addressing the growing number of specialist risks such as privacy, resilience, and particularly security that burgeon from the diversification of IT delivery models and platforms using third-party suppliers, and the growth of related markets such as cloud platform offerings.
Ovum Market Radar: IT Vendor Risk Management, INT003-000273 (November 2018)
Name, Alan Rodger, Senior Analyst, Infrastructure Solutions