The Evolution of Risk Management

March 15, 2019

Over the past few years, the risk management and vendor security landscapes have changed drastically. After the nation-wide financial collapse of 2008, it became clear that some of our strongest industries and institutions were at risk, as well as their vendor and supplier partners, because of gaps in the way information and data were shared. Later on, regulations like the 2009 HITECH Act, which further monitored the meaningful use of healthcare information technology, and the Third-Party Risk Management Principles of 2013, which created vendor risk management guidelines for financial institutions, took security a step further by focusing more on the technical side of business relationships.

Today, the vendor risk management (VRM) lifecycle is much more complex and involved. The above regulations were only the tip of the iceberg in federal involvement, especially as more and more corporate relationships move online through the cloud. Here, we’ll explore the evolution of risk management and how the increasingly complex cloud space is changing this security landscape forever.

The Transition to Cloud Connectivity

One of the biggest shifts in the way companies handle business — and the way risk management was handled — came with the global transition to cloud computing software. Today, unlike a few years ago, there is no such thing as ‘different parts of a business’. Everything is interconnected, which makes risk management so much more complex. This connectivity extends to third-party vendors, which are necessary to serve the varying needs of consumers.

Throughout this continued risk management evolution, the genetic makeup of a corporate security team has also changed. There has been a steady rise in the hiring of Chief Information Security Officers (CISOs), Chief Security Officers (CSOs) and Chief Risk Officers (CROs), as well as subsequent team members dedicated to keeping corporate data and information safe and protected. This includes keeping vendor and third-party data secure as well.

New employees are not the only new additions to this cloud-based risk landscape. New solutions, strategies, and frameworks have also entered the conversation to help these security teams operate more efficiently, better identify risk, and ensure that nothing slips through the cracks.

Introducing the New Vendor Security Landscape

For many corporate security teams, VRM strategies can be divided into a ‘traditional’ bucket and a modern’ bucket. While almost all corporate security teams are taking proactive measures to ensure these traditional security checks are completed, these are no longer sufficient in the modern world of risk management. Security teams must look at this larger puzzle, at inherent risk and residual risk, to ensure complete security and compliance.

The following table shows the differences between traditional VRM and a complete VRM strategy. On the traditional side, things like vendor security assessments and information security policy reviews will cover your bases, to an extent. A complete, cloud-optimized vendor security review is needed to accurately address and verify specific aspects within a modern risk management ecosystem. And, as the visual below denotes, traditional solutions and tools just can’t keep up with these modern needs.

According to McKinsey, managing third-party risk is a changing technological climate also involves:

  • Segmentation and organization of vendors
  • Rules-based due diligence (and evidence of third-party due diligence)
  • Post-contract compliance management and transparency
  • Clear guidelines for governance and escalations
  • Comprehensive technology and modern tools

How to Stay On Top of Vendor Risk Management

While it’s tempting to want to take modern risk management strategies at face value, this industry is constantly changing and its evolution is not done yet. This means that the basic components of VRM, such as security questionnaires and assessments, are also going to be continuously evolving.

As one of the only purpose-built vendor risk management software platforms, Whistic is committed to being an innovator in the space and paving the way for this continued evolution. It’s for this reason that we’ve teamed up with our partner Cloud Security Alliance to co-write a streamlined Consensus Assessments Initiative Questionnaire, CAIQ-Lite. As a InfoSec leader or security team member in this cloud-based security landscape, staying open, engaged, and innovative is the only way to remain secure and compliant in the space.

Want to learn more? Request a Live Demo with a Whistic Product Specialist

or check out the resources below for more information on Conducting vendor assessments & Responding to security reviews all in one intuitive platform.


Why Third Party Security is Critically Important

Risk Management information security cybersecurity supply chain third party

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.