The First Lesson in Vendor Risk Management: A Classroom with Circular Saws

I had to make sure nobody got hurt. 🫳🏻🪚🩸😵

Imagine a class full of students—most of whom had never touched a power tool—handling electric circular saws and drills, assembling a massive plywood structure in a small, chaotic classroom. My job as Safety Compliance Coordinator was to keep them alive: headgear, tool safety, and strict procedures.

But all my efforts were overpowered by a non-compliant instructor—the one person everyone actually listened to.

The Face of Authority vs. Authority Itself

In any system, people follow the face of authority, not the abstract rules. In this case, the "authority" was a third-party contractor hired by our federally funded non-profit. He was a vendor who didn’t follow half of our safety protocols and ignored our training frameworks. He simply told the students: “Here’s how I do it, now get to it!”

No separation of duties. No step-by-step guides. Just pure, unchecked operational noise.

The Breakdown of Internal Controls

How do you enforce compliance when the person in charge is the one breaking it? That day was chaos. Students were stepping over each other, fighting for tools, and carrying lumber over classmates’ heads. The dominant voices took over, and the quieter students retreated.

That’s when it hit me: This was my first lesson in Vendor Risk Management.

What is the point of a strong internal culture of compliance if the people you hire externally—the ones your users actually interact with—don’t share your standards? In cybersecurity terms, that instructor was a third-party vendor with full access to our environment and zero alignment with our controls. He wasn’t malicious; he was just unchecked.

But unchecked risk is still risk.

Governance vs. Firefighting

After that day, I developed a classroom SOP with delegated roles and clear safety steps. I turned chaos into order. That experience highlighted the fundamental difference between:

• Governance: Having strong frameworks and procedures to prevent failure.

• Operations: Relying on constant, exhausted firefighting to survive it.

Relying on "human intuition" without a framework is like hiring SOC analysts to chase incidents that could have been prevented with proper vendor assessments and onboarding.

That classroom taught me more about GRC, risk, and human behavior than any textbook could. You can’t protect a system if you haven't secured the people you let inside it.