Friday, May 31, 2019

An ex-auditor makes a great comment on vendor risk



Kevin Perry, former Chief CIP Auditor of SPP RE, retired last year, but still reads my posts (after all, what better way to spend your retirement?) and has often corresponded with me on them – as he often did while he was an auditor. He sent me the comment below, regarding my most recent post on CIP 13. He said:

I look at it this way...  the contract language or other documented agreements simply show what you agreed to, and doesn’t guarantee performance.  The RFI and other procurement solicitation documentation shows you tried, even if the vendor will not agree to your requests.  But what you really need to focus on is managing your own risk and not assigning it to the vendor.  What can you do to mitigate vendor risk, as opposed to what will you presume the vendor is doing to mitigate your risk?  If you approach the issue with an assumption that the vendor will fail, then your mitigation will be better than if you assume the vendor has your back.  It is not much different than network security between two companies.  You mitigate risk through mutual distrust...you assume something bad will get on your partner’s network and thus you build your own defenses at your perimeter.

I couldn’t have said it any better! And I would certainly have taken a lot longer to say it…


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

No comments:

Post a Comment