What is Vendor Risk Management? Understanding VRM
Vendor risk management (VRM) may be a risk management discipline that focuses on pinpointing and mitigating risks related to vendors. VRM gives companies visibility into the vendors they work with, how they work with them, and which vendors have implemented sufficient security controls.
As a discipline, VRM is rapidly evolving. Each day, companies experience new security, privacy, compliance, and business continuity challenges associated with their vendors. With the work-from-home shift digital transformation is rapidly increasing reliance on vendors (mainly cloud providers) making VRM a permanent, board-level concern.
A vendor risk management program varies significantly supported company size, jurisdiction, applicable laws, industry, and more. That said, there are many VRM best practices that apply to each business. We will discuss these in greater detail throughout this text.
What is the difference between a vendor, third party, supplier, and service provider?
When discussing vendor risk management, it’s important to note that many companies use different terminology when referring to vendors. In some cases, “vendor” is employed interchangeably with the third party, supplier, or service provider. However, in many cases, these terms carry subtle differences.
For example, the term “supplier” is usually utilized in reference to physical goods, while vendors and repair providers are the terms most frequently employed by information technology (IT) teams. “Third-party” is usually viewed because the most overarching term and may encompass all of the previously mentioned terms. For many individuals, third-party risk management and vendor risk management are synonymous.
Why is vendor risk management important?
Increasingly, companies are outsourcing critical tasks to their vendors, which comes with both benefits and risks. While working with a 3rd party can prevent money and assist you operate more efficiently, it also creates vulnerabilities. Recent events, like the Covid-19 pandemic, SolarWinds cyberattack, the Colonial Pipeline attack, and other ransomware breaches have made vendor-related risks abundantly clear. These events have impacted millions of businesses and their third parties – regardless of industry, company size, or country.
Below are a few hypothetical examples to illustrate why VRM is important.
Let’s say your company relies on Google Cloud services to run its mobile application. If Google Cloud has a disruption, your customers might not be ready to access your app. Another example might be a ride-hailing service, like Uber, and its reliance on contracted drivers. If Uber’s drivers continue to strike, which will cause major challenges and hurt the company’s bottom line.
Still, outsourcing may be a necessary component of running a contemporary business. It not only saves the business money, but it’s easy thanks to cash in of the expertise that a corporation won’t currently have in-house. The downside is that if a correct vendor risk management program isn’t in situ, counting on third parties can leave your business vulnerable.
An effective VRM program can reduce the impact of disruptive events and reduce a company’s overall risk exposure. However, VRM offers much more benefits than simply reducing risks. For example, businesses that have implemented a vendor risk management program can evaluate and onboard new vendors more efficiently, getting the proper tools into the proper peoples’ hands – faster.
Additionally, a vendor risk program can give organizations the power to watch their vendor relationships over time, identifying new risks as they arise, also as measuring vendor performance. There are numerous other reasons why vendor risk management is important, including the ability to:
- Hold vendors accountable to contracts
- Reduce spend by identifying redundant third parties
- Comply with global regulations and industry requirements
- Understand how data flows and who has access
- Track security controls and manage risk mitigation efforts
- Offboard vendors and maintain records for compliance
How do companies manage vendor risk?
There is no one-size-fits-all approach to managing vendor risk. Every company is different. Still, there are common measures that each business with a robust VRM program must take. These measures include (but are not limited to):
- Defining your risk appetite by developing a risk appetite statement
- Managing risks down to the individual product or service offered by a vendor
- Choosing your control framework and assessment standard
- Identifying the risk types that are most important to your organization
- Creating a vendor inventory and tracking critical attributes defined by your business
- Classifying your vendors based on the criticality
- Conducting vendor risk assessments and mitigation
- Tracking key terms in vendor contracts
- Reporting on important vendor-related metrics
- Monitoring vendor risks and performance over time
How do you implement a vendor risk management program?
Implementation of a VRM program is very hooked into the dimensions of your organization and the scale of your vendor management program. With that said, many program implementations follow a standard methodology.
Step 1: Select Software
Understand your use case and software requirements.
Step 2: Train Your Team
Review key functionality and understand how the software can meet your goals.
Step 3: Build Your Vendor Inventory
Import an existing vendor list (if you’ve got one) and configure the attributes you’d wish to track for every vendor. If you don’t have an existing vendor list, there are a couple of methods you’ll use to spot and onboard vendors, like conducting vendor discovery assessments or leveraging a self-service portal for business users.
Step 4: Classify Your Vendors
With dozens, hundreds, or maybe thousands of vendors, it’s difficult to understand which of them matter most. Many vendor risk teams solve this problem by classifying their vendors into different tiers. The most commonly applied tiers are:
- Low risk, low criticality
- Medium risk, medium criticality
- High risk, high criticality
Step 5: Choose Your Assessment Framework
There are many assessment standards or frameworks to settle on from. There is no “right” assessment that works for everybody. However, there’s likely a “right” assessment framework that works for your company and industry. Common industry assessment standards, include:
There are also standards for specific industries, including:
We’ll explore these standards and frameworks in more detail later on.
Step 6: Develop Your Assessment Methodology
When developing your assessment processes, it’s important to consider the following questions:
- How do know when a new vendor assessment is required?
- Who should have the ability to launch a vendor assessment?
- Who reviews the assessments?
- How much effort do you want to put into validating assessment answers?
- Which assessment questions generate risks?
- How are flagged risks aggregated and reported on?
- Are follow-up assessments needed based on initial assessment responses?
- How often do you need to reassess your vendors?
- Will you conduct assessments yourself, or would an assessment exchange work for you?
When considering how you would like to validate assessment answers, it’s important to know your options. For low-risk vendors, many companies will accept a vendor self-attestation (in which the seller “attests” to the accuracy of their answers). For medium- to high-risk vendors, companies will take a more intensive validation approach, such as an onsite audit. However, thanks to the pandemic, many organizations are choosing remote audits rather than going onsite.
Step 7: Define Your Risk Methodology and Control Framework
Every VRM program needs how to calculate risks. Your risk methodology, alongside your chosen control framework, must be defined internally by your organization. Many companies use a risk matrix with impact and probability because of the axis.
Alternative methodologies are often as simple as flagging risks as high, medium, or low. Or, risk management programs mature, organizations tend to develop more detailed risk formulas.
Step 8: Create Automation Workflows & Triggers
As you outline different VRM workflows, consider where you’ll apply automation to save lots of time. Many vendor management professionals add automation when:
- Adding and onboarding new vendors.
- Measuring inherent risk and tiering vendors.
- Assigning risk owners and delegating required mitigation actions.
- Triggering vendor performance or renewal reviews.
- Triggering yearly vendor reassessments.
- Sending notifications to key stakeholders.
- Scheduling, running, and sharing reports.
Every business has unique vendor risk management workflows. To streamline these workflows, specialize in identifying the foremost repeatable processes and tasks. Then, begin configuring automation for these specific aspects of your workflows. As each smaller automation is added, efficiency will compound, and your team will reap the time-saving rewards.
Step 9: Build Your Reports & Dashboards
Every third-party risk professional features a list of reports and analytics they’d wish to have access to. There’s not a better time to make this data accessible than during a VRM program implementation. So, ask yourself, what are your current reporting requirements? What information would be helpful to display during a dashboard?
The most straightforward metrics often tracked include:
- Total number of vendors
- Vendors by risk score or level
- Status on all vendor risk assessments
- Number of expiring or expired vendor contracts
- Risks grouped by level (high, medium, low)
- By stage within the risk remediation workflow
- Your parent organization and risks to your subsidiaries
- Risk history over time
Step 10: Refine Your Program Over Time
Vendor risk management is not a static discipline. New threats and requirements are constantly emerging, which is why it’s so important to require a step back from time to time to work out if your program remains to hit the mark. If not, why?
What is the vendor risk management lifecycle?
The vendor risk management lifecycle is how a vendor relationship progresses over time. In some cases, VRM is actually referred to as “vendor relationship management,” which describes the ongoing engagements that businesses have with their vendors. The VRM lifecycle consists of the following stages:
- Vendor identification
- Evaluation & selection
- Risk assessment
- Risk mitigation
- Contracting and procurement
- Reporting and recordkeeping
- Ongoing monitoring
- Vendor offboarding
The vendor risk management lifecycle is usually mentioned because of the “third-party risk management lifecycle,” which we break down in much greater detail here.
How do I conduct better vendor risk assessments?
A vendor risk assessment, or third-party risk assessment, maybe a questionnaire that companies use to “assess” and vet their current and future vendors.
The risk assessment process is meant to spot and evaluate the potential risks of working with a vendor. This is done by assessing a vendor’s security controls, values, goals, policies, procedures, and other contributing factors. In doing so, businesses are ready to determine if the rewards outweigh the risks of working with a 3rd party.
Conducting thorough risk assessments is critical to the success of your vendor risk management program. So, what best practices are you able to put in situ to enhance your probability of risk assessment success? Below are 5 tips to assist improve your assessment process.
Tip 1: Determine Which Risks You Care About
Prior to assessing your vendors, it’s important to require a step back and believe which risks matter most to your organization. These risks can are available in many forms and include:
- Strategic Risk (how does the vendor’s strategy align with yours?)
- Cybersecurity Risk
- Financial Risk
- Compliance Risk
- Geographic Risk
- 4th-Party Risk
- Replacement Risk (how difficult is it to replace the vendor?)
- Operational Risk
- Privacy Risk
- Reputational Risk
- Business Continuity Risk
- Performance Risk
- Environmental Risk
- Concentration Risk (How reliant are you on an individual vendor?)
- And many more…
The specific risks you opt to trace will depend upon your organization and your VRM program goals. Many companies don’t track all of the risks listed above. Most will select the highest 4-5 risk categories that matter most to their business. Measuring too many sorts of risks can become overwhelming. Foremost mature VRM programs can get very granular with the kinds of risks they track, and in doing so, will have a greater understanding of their company’s overall risk exposure because it relates to 3rd parties.
Tip 2: Assess Your Vendors’ Products and Services
Most of the vendors you’re employed with have a variety of various products or services. Each of those individual products or services can have different security measures in situ, making the risks they pose unique (even if it’s an equivalent vendor).
As a hypothetical, Salesforce CRM and Salesforce Pardot are two separate products sold by Salesforce. In this case, the seller is Salesforce, however, the products (CRM vs. Pardot) each have their own separate compliance certifications and a special set of implemented security controls.
What’s more, how you employ one service could also be totally different than how you employ another. For example, you’ll use Amazon to order supplies for your business. In this case, Amazon might be considered a low-risk vendor. On the opposite hand, you’ll also believe Amazon Web Services to host your cloud-based application, which might present a way greater risk.
Tip 3: Automate Your Vendor Assessment Process
Like any repeatable process, you’ll automate the actions involved in conducting assessments. Review internal procedures to spot areas in your assessment workflow which will be done automatically. Automation examples include auto-flagging risks, assigning risk owners, and triggering reassessments supported by a newly identified risk or an expiring contract.
Tip 4: Make Responding to Assessments Easy for Your Vendors
Getting a vendor to answer an assessment is often a painstaking process. Consider how you’ll make the method easier for your vendors. Enable them with free questionnaire response automation tools, or encourage them to participate during a risk exchange.
Tip 5: Monitor Vendors for Reassessment
Risks can change over time. So, what risk-inducing events might require a reassessment of a vendor? New risks often arise from the following events:
- Mergers, acquisitions, or divestitures
- Internal process modifications
- Negative news or unethical actions
- Natural disasters and other business continuity triggering events
- Product updates
- New regulations
- Employee reductions
What are risk exchanges and how can they help me with my vendor risk assessments?
A risk exchange (or Third-Party Risk Exchange) helps facilitate the “exchange” of vendor risk assessments, as well as other documentation and evidence.
With an exchange, you can access a vendor’s pre-completed risk assessments. These assessments are typically supported by an industry standard, like NIST, ISO, or SIG Lite.
A risk exchange can improve your VRM program by enabling you to urge your vendor assessments done faster, also eliminating the time-consuming, assessment-related work that ties up your team and takes resources far away from other strategic projects.
For your vendors, risk exchanges save them significant time by enabling them to re-use their completed questionnaires over and once again. Through the exchange, they will share an equivalent assessment with dozens of companies at an equivalent time.
Ultimately, risk exchanges enable you and your vendors to figure together to collectively make the seller risk assessment process better for everybody involved.
What are the benefits of vendor risk management software?
VRM software helps organizations build and automate their vendor risk management program. Vendor risk software helps you onboard third parties, evaluate them, identify and mitigate their risks, monitor vendor changes over time, and offboard third parties when necessary. Maintaining adequate records to demonstrate compliance. When leveraging VRM software, automation can provide a rapid return on investment (ROI). Additional benefits of vendor risk management software, include:
- Increased security
- Increased consumer trust
- Greater time and cost savings
- Reduced repetitive work
- Better vendor visibility
- Streamlined vendor evaluation and onboarding
- Faster risk assessments
- Improved reporting and analytics
- Simplified recordkeeping
- Reduced risks associated with vendors
- Improved vendor relationships and performance
- Less time spent in spreadsheets
- And much more…
Want to ascertain how OneTrust Vendorpedia can assist you to improve and scale your vendor risk management program? Request a demo of our VRM solution today!