Holistic multi-vendor strategy

Holistic multi-vendor strategy

The legislation states:

"…assess the need for a multi-vendor strategy, and if applicable, defining a holistic ICT multi-vendor strategy, at entity level showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of ICT third-party service providers."

A required part of financial entities’ ICT risk management framework by the DORA legislation is a holistic ICT multi-vendor strategy.

Two important strategies need to be analysed to understand the implications for your company

  1. ICT multi-vendor strategy
  2. Holistic strategy

ICT multi-vendor strategy

An ICT multi-vendor strategy is when you use several ICT-service providers for your business. There are several benefits of using different providers for your business as opposed to one single ICT vendor strategy;

  • Ability to choose vendors that are the best or most suited for certain parts of your business
  • Reduced risk of single-vendor dependencies

Holistic strategy

A holistic strategy is a business strategy approach where a company is focused on coordinating its departments and employees to better collaborate and exchange. The benefit of a successful holistic strategy is internal alignment. The results can usually be seen in;

  • Increased business value collaboratively created
  • The entire company focused on working together towards collective goals

Our recommendations

With this knowledge, Advisense approaches a holistic ICT multi-vendor strategy as a strategy where each ICT service has a purpose aligned with entities’ business goals.

The provided ICT services need to be mapped and connected so that no part of the service chain results in unnecessary tasks for the business. A vendor should never inhibit another vendor to deliver value to the business but rather enhance it. As stated in the legislation, there must be a rationale behind the procurement mix of third-party service providers.  

A holistic ICT multi-vendor strategy should be established so that it can be used as a tool for mapping your risk dependencies and for evaluating new ICT vendors. If you can achieve a broad understanding of how vendors contribute to your business, it will be easier to pinpoint where your major risks lie and the possibility to spread risks between the vendors. You can also more easily evaluate vendors from your strategy and your current mix of ICT service providers.

When assessing your need for a holistic ICT multi-vendor strategy, there are many aspects to consider. As a start, you should consider the mix of ICT-vendors and ask yourself: 

  • Are we using multiple critical ICT-vendors for our business? 
  • Are our risks distributed over several ICT-vendors? 
  • Do we have ICT-vendors that provide similar solutions? 
  • Does our ICT-vendors have several dependencies to each other? 
  • Are we dependent on one single ICT-vendor?

If your answer is ‘Yes’ to one or several of the questions above your business can likely benefit greatly from a holistic ICT multi-vendor strategy. 

Designing a holistic ICT multi-vendor strategy is not an easy endeavor, it will require a high level of knowledge and competence, both in technical capabilities and vendor management. However, the benefits if successfully implemented are clear. It will enhance your business productivity and value creation. You will be confident that each service provider is worth their cost and contributes to your success. 

Fredrik Ohlsson

Managing Director, Cyber & Digital Risk

Want to find out how Advisense can help you?