What is vendor risk management?
Vendor risk management (VRM) is a risk management discipline that focuses on pinpointing and mitigating risks associated with vendors. VRM gives companies visibility into the vendors they work with, how they work with them, and which vendors have implemented sufficient security controls.
As a discipline, VRM is rapidly evolving. Each day, companies experience new security, privacy, compliance, and business continuity challenges related to their vendors. With the work-from-home shift digital transformation is rapidly increasing reliance on vendors (mainly cloud providers) making VRM a permanent, board-level concern. Objectives of a vendor risk management program vary significantly based on company size, jurisdiction, applicable laws, industry, and more. That said, there are many VRM best practices that apply to every business. We will discuss these in greater detail throughout this article.
What is the difference between a vendor, third party, supplier, and service provider?
When discussing vendor risk management, it’s important to note that many companies use different terminology when referring to vendors. In some cases, “vendor” is used interchangeably with third party, supplier, or service provider. However, in many cases, these terms carry subtle differences.
For example, the term “supplier” is often used in connection with physical goods, while vendors and service providers are terms most often used by information technology (IT) teams. “Third party” is often viewed as the most overarching term and can encompass all of the previously mentioned terms. For many individuals, third-party risk management and vendor risk management are synonymous.
Why is vendor risk management important?
Companies are increasingly outsourcing critical tasks to their vendors, which comes with both benefits and risks. While working with a third party can save you money and help you operate more efficiently, it also creates vulnerabilities. Recent events, such as the Covid-19 pandemic , SolarWinds cyberattack, the Colonial Pipeline attack, and other ransomware breaches have made vendor-related risks abundantly clear. These events have impacted millions of businesses and their third parties – regardless of industry, company size, or country.
Below are a few hypothetical examples to illustrate why VRM is important.
Let’s say your company relies on Google Cloud services to run its mobile application. If Google Cloud has an interruption, your customers may not be able to access your app. Another example could be a ride-hailing service, such as Uber, and their reliance on contracted drivers. If Uber’s drivers go on strike, that can cause major challenges and hurt the company’s bottom line.
Still, outsourcing is a necessary component of running a modern business. It not only saves a business money, but it’s a simple way to take advantage of the expertise that an organization might not currently have in-house. The downside is that if a proper vendor risk management program is not in place, relying on third parties can leave your business vulnerable.
An effective VRM program can reduce the impact of disruptive events and reduce a company’s overall risk exposure. However, VRM offers far more benefits than just reducing risks. For example, businesses that have implemented a vendor risk management program can evaluate and onboard new vendors more efficiently, getting the right tools into the right peoples’ hands – faster. Additionally, a vendor risk program can give organizations the ability to monitor their vendor relationships over time, identifying new risks as they arise, as well as measuring vendor performance. There are numerous other reasons why vendor risk management is important, including the ability to:
- Hold vendors accountable to contracts
- Reduce spend by identifying redundant third parties
- Comply with global regulations and industry requirements
- Understand how data flows and who has access
- Track security controls and manage risk mitigation efforts
- Offboard vendors and maintain records for compliance
How do companies manage vendor risk?
There is no one-size-fits-all approach to managing vendor risk. Every company is different. Still, there are common measures that every business with a strong VRM program must take. These measures include (but are not limited to):
- Defining your risk appetite by developing a risk appetite statement
- Managing risks down to the individual product or service offered by a vendor
- Choosing your control framework and assessment standard
- Identifying the risk types that are most important to your organization
- Creating a vendor inventory and tracking critical attributes defined by your business
- Classifying your vendors based on criticality
- Conducting vendor risk assessments and mitigation
- Tracking key terms in vendor contracts
- Reporting on important vendor-related metrics
- Monitoring vendor risks and performance overtime
How do you implement a vendor risk management program?
Implementation of a VRM program is highly dependent on the size of your organization and scale of your vendor management program. With that said, many program implementations follow a common methodology.
Step 1: Select software
Understand your use case and software requirements.
Step 2: Train your team
Review key functionality and understand how the software can meet your goals.
Step 3: Build your vendor inventory
Import an existing vendor list (if you have one) and configure the attributes you’d like to track for each vendor. If you don’t have an existing vendor list, there are a few methods you can use to identify and onboard vendors, such as conducting vendor discovery assessments or leveraging a self-service portal for business users.
Step 4: Classify your vendors
With dozens, hundreds, or even thousands of vendors, it’s difficult to know which ones matter most. Many vendor risk teams solve this problem by classifying their vendors into different tiers. The most commonly applied tiers are:
- Tier 3 vendors: Low risk, low criticality
- Tier 2 vendors: Medium risk, medium criticality
- Tier 1 vendors: High risk, high criticality
Step 5: Choose your assessment framework
There are many assessment standards or frameworks to choose from. There is no “right” assessment that works for everyone. However, there is likely a “right” assessment framework that works for your company and industry. Common industry assessment standards, include:
There are also standards for specific industries, including:
We’ll explore these standards and frameworks in more detail later on.
Step 6: Develop your assessment methodology
- When developing your assessment processes, it’s important to consider the following questions:
- How do you know when a new vendor assessment is required?
- Who should have the ability to launch a vendor assessment?
- Who reviews the assessments?
- How much effort do you want to put into validating assessment answers?
- Which assessment questions generate risks?
- How are flagged risks aggregated and reported on?
- Are follow-up assessments needed based on initial assessment responses?
- How often do you need to reassess your vendors?
- Will you conduct assessments yourself, or would an assessment exchange work for you?
When considering how you want to validate assessment answers, it is important to understand your options. For low-risk vendors, many companies will accept a vendor self-attestation (in which the vendor “attests” to the accuracy of their answers). For medium to high-risk vendors, companies will take a more intensive validation approach, such as an onsite audit. However, as digital transformation continues full speed ahead and work from home has become a part of day-to-day business, many organizations are opting for remote audits instead of going onsite. It’s important for your business to be prepared for both types of audits.
Step 7: Define your risk methodology and control framework
Every VRM program needs a way to calculate risks. Your risk methodology, along with your chosen control framework, must be defined internally by your organization. Many companies use a risk matrix with impact and probability as the axis.
Alternative methodologies can be as simple as flagging risks as high, medium, or low.
Step 8: Create automation workflows & triggers
As you outline different VRM workflows, consider where you can apply automation to save time. Many vendor management professionals add automation when:
- Adding and onboarding new vendors.
- Measuring inherent risk and tiering vendors.
- Assigning risk owners and delegating required mitigation actions.
- Triggering vendor performance or renewal reviews.
- Triggering yearly vendor reassessments.
- Sending notifications to key stakeholders.
- Scheduling, running and sharing reports.
Every business has unique vendor risk management workflows. To streamline these workflows, focus on identifying the most repeatable processes and tasks. Then, begin configuring automation for these specific aspects of your workflows. As each smaller automation is added, efficiency will compound, and your team will reap the time-saving rewards.
Step 9: Build your reports & dashboards
Every third-party risk professional has a wish list of reports and analytics they’d like to have access to. There’s no better time to make this data accessible than during a VRM program implementation.
So, ask yourself, what are your current reporting requirements? What information would be helpful to display in a dashboard?
The most straightforward metrics often tracked include:
- Total number of vendors
- Vendors by risk score or level
- Status on all vendor risk assessments
- Number of expiring or expired vendor contracts
- Risks grouped by level (high, medium, low)
- Risks by stage within the risk remediation workflow
- Risks to your parent organization and risks to your subsidiaries
- Risk history over time
Step 10: Refine your program over time
Vendor risk management is not a static discipline. New threats and requirements are constantly emerging, which is why it’s so important to take a step back from time to time to determine if your program is still hitting the mark. If not, why and what can you do about it?
What is the vendor risk management lifecycle?
The vendor risk management lifecycle is how a vendor relationship progresses over time. In some cases, VRM is actually referred to as “vendor relationship management,” which describes the ongoing engagements that businesses have with their vendors. The VRM lifecycle consists of the following stages:
- Vendor identification
- Evaluation & selection
- Risk assessment
- Risk mitigation
- Contracting and procurement
- Reporting and recordkeeping
- Ongoing monitoring
- Vendor offboarding
The vendor risk management lifecycle is sometimes referred to as the “third-party risk management lifecycle,” which we break down in much greater detail here.
How do I conduct better vendor risk assessments?
A vendor risk assessment, or third-party risk assessment, is a questionnaire that companies use to “assess” and vet their current and future vendors.
The risk assessment process is designed to identify and evaluate the potential risks of working with a vendor. This is done by assessing a vendor’s security controls, values, goals, policies, procedures, and other contributing factors. In doing so, businesses are able to determine if the rewards outweigh the risks of working with the third party.
Conducting thorough risk assessments is critical to the success of your vendor risk management program. So, what best practices can you put in place to improve your probability of risk assessment success? Below are 5 tips to help improve your assessment process.
Tip 1: Determine which risks you care about
Prior to assessing your vendors, it’s important to take a step back and think about which risks matter most to your organization. These risks can come in many forms and can include:
- Strategic Risk (how does the vendor’s strategy align with yours?)
- Cybersecurity Risk
- Financial Risk
- Compliance Risk
- Geographic Risk
- 4th-Party Risk
- Replacement Risk (how difficult is it to replace the vendor?)
- Operational Risk
- Privacy Risk
- Reputational Risk
- Business Continuity Risk
- Performance Risk
- Environmental Risk
- Concentration Risk (How reliant are you on an individual vendor?)
The specific risks you decide to track will depend on your organization and your VRM program goals. Many companies do not track all of the risks listed above. Most will select the top 4-5 risk categories that matter most to their business. Measuring too many types of risks can become overwhelming. That said, the most mature VRM programs can get very granular with the types of risks they track, and in doing so, will have a greater understanding of their company’s overall risk exposure as it relates to third parties.
Tip 2: Assess your vendors’ products and services
Most of the vendors you work with have a number of different products or services. Each of these individual products or services can have different security measures in place, making the risks they pose unique (even if it’s the same vendor).
As a hypothetical, Salesforce CRM and Salesforce Pardot are two separate products sold by Salesforce. In this case, the vendor is Salesforce, however, the products (CRM vs. Pardot) each have their own separate compliance certifications and a different set of implemented security controls.
What’s more, how you use one service may be totally different than how you use another. For example, you may use Amazon to order supplies for your business. In this case, Amazon could be considered a low-risk vendor. On the other hand, you may also rely on Amazon Web Services to host your cloud-based application, which would present a much greater risk.
Tip 3: Automate your vendor assessment process
Like any repeatable process, you can automate the actions involved in conducting assessments. Review internal procedures to identify areas in your assessment workflow that can be done automatically. Automation examples include auto-flagging risks, assigning risk owners, and triggering reassessments based on a newly identified risk or an expiring contract.
Tip 4: Make responding to assessments easy for your vendors
Getting a vendor to answer an assessment can be a painstaking process. Consider how you can make the process easier for your vendors. For example, enable them with free questionnaire response automation tools, or encourage them to participate in a risk exchange.
Tip 5: Monitor vendors for reassessment
Risks can change over time. So, what risk-inducing events might require a reassessment of a vendor? New risks often arise from the following events:
- Mergers, acquisitions, or divestitures
- Internal process modifications
- Negative news or unethical actions
- Natural disasters and other business continuity triggering events
- Product updates
- New regulations
- Employee reductions
What are risk exchanges and how can they help me with my vendor risk assessments?
A risk exchange (or Third-Party Risk Exchange) helps facilitate the “exchange” of vendor risk assessments, as well as other documentation and evidence.
With an exchange, you can access a vendor’s pre-completed risk assessments. These assessments are typically based on an industry standard, such as NIST, ISO, or SIG Lite.
A risk exchange can improve your VRM program by enabling you to get your vendor assessments done faster, as well as eliminating the time-consuming, assessment-related work that ties up your team and takes resources away from other strategic projects.
For your vendors, risk exchanges save them significant time by enabling them to re-use their completed questionnaires over and over again. Through the exchange, they can share the same assessment with dozens of companies at the same time.
Ultimately, risk exchanges enable you and your vendors to work together to collectively make the vendor risk assessment process better for everyone involved.
What are the benefits of vendor risk management software?
VRM software helps organizations build and automate their vendor risk management program. Ultimately, vendor risk software helps you onboard third parties, evaluate them, identify and mitigate their risks, monitor vendor changes over time, and offboard third parties when necessary – all while maintaining adequate records to demonstrate compliance. When leveraging VRM software, automation can provide a rapid return on investment (ROI). Additional benefits of vendor risk management software, include:
- Increased security
- Increased consumer trust
- Greater time and cost savings
- Reduced repetitive work
- Better vendor visibility
- Streamlined vendor evaluation and onboarding
- Faster risk assessments
- Improved reporting and analytics
- Simplified recordkeeping
- Reduced risks associated with vendors
- Improved vendor relationships and performance
- Less time spent in spreadsheets
How can OneTrust help?
The OneTrust platform leverages expertise in GRC, specializing in Third-Party Risk Management, Privacy, Incident Management and many other categories to deliver an immersive security and privacy management experience. Reduce your vendor, supplier, and third-party risks with OneTrust Third-Party Management software and Third-Party Risk Exchange The software enables you to run compliance checks and screen vendors. Additionally, our software empowers organizations to conduct vendor risk assessments and mitigate risks through highly customizable workflow automation. The OneTrust Third-Party Risk Exchange enables businesses to access to risk analytics and control gap reports on vendors, and provides vendors with an opportunity to centralize their compliance details and promote them to thousands of OneTrust customers to easily share.
