Pub. 6 2017 Issue 2

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 26 WHAT IS VENDOR RISK? By Leticia Saiid, Security +CoNetrix A SSESSING RISK is all about extrapolatingmeaning frompotential. In other words, look at what could happen and consider how those things would affect you. The process can be as complicated or as simple as you choose tomake it. At the end of the day, risk assessments are a way to become aware of potential issues and of controls to alleviate those dangers. You do not have to think of every potential scenario. In fact, consideringwhat is common covers the majority of threats. With regard to riskmanagement, there is a balance between a thorough programand a sufficient program. Eons of great data and calculations are useless if they do not convey amessage to improve your risk posture. Remember, the risk assessment is merely ameans to the goal, which is ultimately understanding and improvement. What about vendor risk assessments? Howdo inherent and residual riskworkwhen considering vendors who provide their own controls? I will not be so bold as to say that inherent and residual risk do not applywhen assessing vendors. I will say the perspective is quite different. For vendors, there is inherent risk that comes with particular services. Is that something you need to assess and document? Let me describe to you something I like to call “Translated Risk.” Translated risk is the risk you take onwhen you receive service from a vendor. Of course, you could apply controls, such as reasonable user requirements, to reduce certain kinds of risk. However, inmost cases, you cannot reduce a vendor’s risk. You simplymanage existing risk, or in other words, performvendor riskmanagement. Youmonitor the vendor’s control reporting to ensure you are aware of any substantial changes. Every time you receive a newdue diligence document, review it and compare it with the previous version. Have things improved or worsened? Did the vendor have goodmarks or bad? These reviews will help you decide if you should reevaluate the translated risk you previously determined. Why do I need this information? You need this information so you are aware of the risks you face. If there is a lot of risk, that is okay; youmay have a high risk-tolerance. What is not okay is taking on unknown risk. When you know about your vendors’ risk and control management, you aremore capable of determiningwhether the vendor is the right fit for you, and if you should continue in the relationship or end it. This is your vendor risk management. How thorough should I be to achieve accuracy? All ratings are subjective. Yes, even after several advanced calculations and reviews. If you like your vendor, you aremore likely to say the risk is low instead of mediumand youwill be able to come upwith plenty of reasons to justify the rating. If you dislike a vendor, you aremore likely to say the risk is medium instead of low, evenwith the exact same vendor. You still could come upwith reasons to justify your position. Questions and review categories will not eliminate this. All questions and categories have been created by humans and all humans are biased, be that you or someone else. With this inmind, you need to find a balance between rating based on gut feelings, which are often quite accurate, and rating based on predetermined calculation systems. Howdo I find this “balance”? Finding balance has a lot to dowith your personal learning style. I have a habit of saying, “They see the world differently,” to explainwhy peoplemanage information in a different way. Some of us are narrative oriented, whereas others are task oriented. There is not a right way; you just have to find your way. So, focus on the goal. Be aware of what risk applies to you. If you can do this with some simple risk categories and ratings, great. If you need a list of specific questions to help guide you, that’s great too. Keep inmind, tools like questions and categories are simply ameans to an end. Ratings are not risk assessments. You must continuallywork towards understanding and improvement. Your resulting riskmanagement program, and your Board of Directors, will thank you for it. Leticia Saiid is a Security+ certified tandem Software Support specialist for CoNetrix. CoNetrix offers a variety of security and technology services including computer network design, penetration testing, and the tandem Information Security software suite. Visit our website at www.CoNetrix.com or email info@CoNetrix.com to learn more about their Vendor Management products and services. FCA Chairman Tonsager has important message for the FCS On February 1, Dallas Tonsager, the new chairman and CEO of the Farm Credit Administration (FCA), gave his maiden speech as FCA chairman at the Farm Credit Council’s annual meeting Tonsager Speach February 1, 2017. The Council is the trade association for the FCS’s banks and associations. Tonsager sent a powerful message to the FCS that can be characterized by one word – confidence – which appeared 23 times in his speech. According to Tonsager, the FCS must maintain the confidence of the various publics it deals with, including those it lends to, those “to whom it does not lend,” and investors in FCS debt. Most important of all, Tonsager counseled, “the [FCS] must also be mindful of the confidence that Congress has in it. It only takes one example to raise doubts and questions among members of Congress.” Those doubts and questions were starkly evident during the most recent oversight hearings the House and Senate Agriculture Committees held on FCS activities and the FCA’s regulation of the FCS. Possibly the “one example” Tonsager had in mind was CoBank, which was widely criticized at the two hearings for its numerous loan to large, investor-owned utilities and to other borrowers hardly in need of taxpayer- subsidized financing. BERT ELY’S FARM CREDITWATCH®