Definition Vendor Risk Management
Vendor risk management is a discipline in risk management that focuses on identifying and mitigating vendor risks. VRM allows companies to see the vendors they are working with, their work processes, and which vendors have sufficient security controls.
VRM as a discipline is constantly evolving. Every day, vendors present new security, privacy and compliance challenges to companies. The rise of the work-from-home shift and increased reliance on cloud providers has made VRM a serious concern for board members. The objectives of a vendor management program can vary depending on the company’s size, jurisdiction, industry, and other relevant laws. There are VRM best practices for every business.
What is the Difference Between a Vendor, Third Party, Supplier, and Service Provider?
It is important to remember that vendors are often referred to in different ways by different companies when discussing vendor risk management. Sometimes, the term “vendor” can be used interchangeably with third-party suppliers, suppliers, and service providers. These terms can have subtle differences in some cases.
The term “supplier”, for example, is frequently used to refer to physical goods. However, vendors and service providers are terms that most IT teams use. Third-party is often considered the overarching term and can include all the terms previously mentioned. Many people consider vendor risk management synonymous.
Why is Vendor Risk Management Important?
Companies are increasingly outsourcing crucial tasks to vendors. This has both benefits and potential risks. Although outsourcing to a third party can help you save money and make your business more efficient, it can also offer vendor security risk management. Recent events such as the Covid-19 Pandemic, the SolarWinds hack, and the Colonial Pipeline attack have highlighted vendor-related risks. These events have had a profound impact on millions of businesses, regardless of their industry or location.
Here are some examples of VRM to show why it is so important.
Let’s suppose your company uses Google Cloud services for its mobile app. Your customers might not be able to access your app if Google Cloud is down. Uber and its reliance on drivers contracted by them could also be an example. Uber drivers striking can lead to major problems and could even cost the company its bottom line.
Outsourcing is an essential part of modern business management. Outsourcing saves money and allows you to access expertise your organization may not have. The downside to this is that depending on third parties for vendor risk management can make your business vulnerable. IT Vendor Risk Management (VRM) is the process of ensuring the use of external IT service providers and other serviceS.
A well-designed VRM program can help reduce disruptive events’ impact and decrease a company’s risk exposure. VRM is more than just about reducing risk. Businesses that have implemented vendor risk management programs can assess and onboard vendors faster, and get the right tools to the right people, much more efficiently. A vendor risk program allows organizations to track their vendor relationships and identify new risks as they occur, as well measuring their performance. Vendor risk management is essential for many reasons, including:
- Contracts must be held accountable for vendors
- Recognize redundant third parties to reduce spending
- Conform to industry regulations and global regulations
- Learn how data flows and who has it.
- Monitor security controls and manage risk mitigation efforts
- For compliance, offboard vendors and keep records
How Do Companies Manage Vendor Risk?
There is no single solution to managing vendor risk. Each company is unique. However, there are some common steps that all businesses with strong VRM programs must follow. These include, but are not limited to:
- Develop a risk appetite declaration to define your risk appetite.
- Limiting risks to each product or service offered is the best way to manage them
- Selecting your control vendor risk management framework and assessment standards
- Identify the risks most relevant to your company
- Create a vendor inventory. Track the key attributes of your business.
- Classifying your vendors based on the criticality
- Conducting vendor risk assessments and mitigation
- Key terms in vendor contracts
- Reporting important metrics related to vendors
- Monitoring vendor risks and performance over time
How Do you Implement a Vendor Risk Management Program?
The size and scope of your vendor management program will play a major role in the implementation of a VRM plan. Many program implementations follow the same methodology.
Step 1 – Select Software
Understanding your use case and software needs.
Step 2 – Train Your Team
Learn about the key features and how it can help you achieve your goals.
Step 3: Build Your Vendor Inventory
If you already have a vendor list, import it and set the attributes that you want to track for each vendor. You don’t need an existing vendor list. There are several methods that you can use to identify and Onboard vendors. These include conducting vendor discovery assessments or creating a self-service portal available for business users.
Step 4 – Classify Your Vendors
It can be difficult to determine which vendors are most important when there are hundreds, thousands, or even dozens of vendors. This problem is solved by many vendor risk teams that classify their vendors into different levels. These tiers are the most popular.
- Tier 3 vendors: Low risk, high criticality
- Tier 2 vendors: Medium risk, medium criticality
- Tier 1 vendors: High-risk, high-criticality
Step 5 – Choose Your Assessment Framework
There are many frameworks that can be used to assess. There is no one “right” way to assess risk. There is likely to be a vendor management framework that suits your industry and company. These are the most common industry standards for assessment:
- ISO 27001
- ISO 27701
- NIST SP 800-53
- SIG Lite and SIG Core
- CSA CAIQ
Specific industries can also be covered by standards, such as:
- HITRUST Healthcare
- HECVAT (higher education)
These standards and frameworks will be explored in greater detail later.
Step 6 – Develop Your Assessment Methodology
It is important to ask the following questions when developing assessment processes:
- How can you tell if a vendor assessment is necessary?
- Who should be able to conduct a vendor assessment
- Who reviews the assessments
- What effort are you willing to put in validating assessment results?
- What assessment questions can be used to identify risks?
- How are flagged risk reports aggregated?
- Is it necessary to conduct follow-up assessments based on initial assessment results?
- How often are you required to reassess vendors?
- Do you plan to conduct your own assessments or would you prefer an assessment exchange?
It is important to fully understand the options when validating assessment answers. Many companies will accept vendor self-attestations from low-risk vendors. This is where the vendor “attests to” the accuracy of their answers. Companies will use a more thorough validation process, such as an onsite inspection, for medium- and high-risk vendors. Many organizations opt for remote audits due to the pandemic.
Step 7 – Define your Risk Methodology and Control Framework
Each VRM program must have a method to calculate risk. Your organization must define your risk methodology and control framework. Many companies use a risk matrix that includes probability and impact as an axis.
Alternate methods can include flagging high, medium or low risk. As organizations mature their risk management programs, they tend to create more complex risk formulas.
Step 8 – Create Automation Workflows and Triggers
Consider as you create VRM workflows. To save time, you can use automation. Automation is a common feature of vendor management professionals.
- Adding and onboarding new vendors.
- Measuring inherent risk and tiering vendors.
- Delegating mitigation actions and assigning risk owners
- Triggering vendor performance reviews or renewal reviews
- Triggering annual vendor reassessments.
- Notifications to key stakeholders
- Schedule, run and share reports.
Each business has its own vendor risk management processes. These workflows can be simplified by focusing on the most repeatable tasks and processes. Next, configure automation to address these aspects of your workflows. Each automation that is smaller will increase efficiency, which will lead to time savings for your team.
Step 9 – Create Your Reports and Dashboards
Every third-party risk professional will have a wishlist of analytics and reports they would like to access. This data can be made available at any time, including during the implementation of a VRM program. Ask yourself: What are your current reporting needs? What data would you like to see in a dashboard display?
These are the most common metrics that are often tracked:
- Total number of vendors
- Vendors sorted by risk score or level
- All vendor risk assessments are current
- Number of expired or expired vendor contracts
- Risks are grouped by level (high-, medium-, and low).
- Stages of the risk remediation process
- Risques to your parent company and risks to your subsidiary companies
- Time-based risk history
Step 10 – Refine Your Programming Over Time
Vendor risk management cannot be considered a static discipline. There are always new threats and requirements. It is important to periodically take a step back to see if your program is still on the right track. If it isn’t, why not?
What is the Vendor Risk Management Lifecycle?
The vendor risk management lifecycle describes how vendor relationships progress over time. VRM can also be called “vendor relation management” in some cases. This refers to the ongoing relationships that vendors have with businesses. These are the stages of the VRM lifecycle:
- Vendor identification
- Evaluation and selection
- Risk assessment
- Risk mitigation
- Procurement and contracting
- Reporting and recordkeeping
- Monitoring ongoing
- Vendor offboarding
Sometimes, the vendor risk management lifecycle can also be called “third-party risks management lifecycle”, which we detail.
How Can I Do Better Vendor Risk Assessments?
Vendor risk assessments, also known as third-party risk assessments, are a questionnaire companies use to “assess and vet” their vendors.
Risk assessment is used to assess the risks associated with working with vendors. This involves evaluating the vendor’s security measures, goals, policies, and procedures as well as other contributing factors. Businesses can then determine whether the benefits outweigh the risks associated with working with a third party. While “knowing is half of the battle”, knowing the right questions is half of the battle. This is why we offer a Vendor Risk Management Questionnaire Template to assist you.
To ensure the success of your vendor management program, it is important to conduct thorough risk assessments. What are the best practices to increase your chances of a successful vendor risk management program? Here are five tips that will help you improve your assessment process.
Tip 1 – Determine Which Risks You Care About
Before you begin to evaluate your vendors, take a moment to reflect on which risks are most important to your company. These risks come in many forms, including:
- Strategic Risk (How does the vendor’s strategy align to yours?
- Cybersecurity Risk
- Financial Risk
- Compliance Risk
- Geographic Risk
- Fourth-Party Risk
- Replacement Risk (How difficult is it to replace the vendor?
- Operational risk
- Privacy Risk
- Reputational risk
- Business Continuity risk
- Performance Risk
- Environmental Risk
- Concentration Risk (How dependent are you on a single vendor?)
There are many other options.
Your organization’s goals and VRM program goals will determine which risks you choose to monitor. Many companies don’t track all the above risks. Most companies will only focus on the top 4-5 risks that are most important to their business. It can be overwhelming to measure too many types and risks. However, VRM programs that are mature can be very specific about the types of risks they track and will give a better understanding of the company’s overall risk exposure to third parties.
Tip 2 – Assess Your Vendors’ Products and Services
Many vendors that you deal with offer a variety of products and services. Every product or service can have its own security measures, which makes the risk unique (even though they are from the same vendor).
Salesforce CRM and Salesforce Pardot can be thought of as two distinct products. Salesforce is the vendor in this example, but the products (CRM and Pardot), have their own compliance certifications, as well as a set of security controls.
You may use one service in a completely different way than another. Amazon could be used to order supplies for your company. Amazon might be considered a low risk vendor in this instance. Amazon Web Services could be used to host your cloud-based applications, but this would pose a greater risk.
Tip 3 – Automate Your Vendor Assessment Process
You can automate assessments, just like any other repeatable process. You can review your internal processes to find areas that can be automated. Examples of automation include assigning risk owners and auto-flagging risk.
Tip 4 – Make it easy for your vendors to respond to assessments
It can be difficult to get a vendor to complete an assessment. You can help vendors make this process more simple. You could offer them questionnaire responses tools or encourage them to take part in a risk swap.
Tip 5 – Monitor Vendors for Reassessment
Risks can change over the course of time. Vendors might need to be reassessed for risk-inducing situations. These events can often create new risks:
- Acquisitions, mergers, and divestitures
- Modifications to internal processes
- Negative news and unethical acts
- Natural disasters and other events that threaten business continuity are some examples of events that can be triggered
- Updates on products
- New regulations
- Reduced employee hours
What is a Risk Exchange and How can it help me with Vendor Risk Assessments?
The Third-Party Risk Exchange facilitates the “exchange” of vendor risk assessments as well as documentation and evidence.
You can access the vendor’s completed risk assessments via an exchange. These assessments are usually based on industry standards, such as ISO or SIGN Lite.
Risk exchanges can help improve your VRM program. They allow you to quickly get vendor assessments done.
Risk exchanges can save vendors time and allow them to reuse their questionnaires repeatedly. They can also share the same assessment with many companies through the exchange.
Risk exchanges allow you and your vendors the opportunity to work together to make vendor risk assessment more efficient for all parties.
What are Some of the Benefits of Vendor Risk Management?
VRM software allows organizations to automate and build their vendor risk management programs. Vendor risk software allows you to onboard, assess, mitigate and monitor the risks of third parties, as well as track changes over time and offboard when necessary. A vendor risk management policy describes the risks that your organization faces when it deals with third-party suppliers. All while keeping adequate records to prove compliance. Automation can help you achieve a quick return on your investment (ROI) when you leverage VRM software. Other benefits of vendor risk management software include:
- Security – Increased
- Consumer trust has increased
- More time and greater cost savings
- Repetitive work is reduced
- Better vendor visibility
- Streamlined vendor evaluations and onboarding
- Faster risk assessments
- Analytics and reporting are improved
- Simpler record keeping
- Vendors are less at risk
- Performance and vendor relations improved
- Reduced time spent on spreadsheets
- Plus, much more