As risk management specialists, we speak a lot about the entire vendor management process as a whole and its associated challenges and best practices. We always highlight the importance of a quality risk assessment as the cornerstone on which a holistic vendor risk management program is built, but what does the vendor risk assessment process actually entail? A failure in identifying risks presented by the products or services provided by your vendors will leave you with an incomplete and ultimately inaccurate assessment. So where do we start?
Developing an Accurate Risk Profile
As we just mentioned, the key formative piece of a valid risk assessment is ensuring that you are assessing your vendors for risks that are pertinent to the space your enterprise occupies. A financial institution likely isn’t concerned about personal health information (PHI) data security for their janitorial service, but they will be infinitely more interested in the cyber security posture of their web services vendor for example. Determining what to assess for is nearly as important as evaluating the level of risk exposure caused by the vendor.
Areas of Widespread Concern
These ensuing categories are some examples of areas that are of concern to a broad spectrum of businesses across a variety of fields:
- Data Security Risk – Will your vendor have access to or be responsible for the storage of, protected information belonging to your customers, employees, or other vendors?
- Transactional Risk – Does your vendor process payments for you or have access to payment information? Are they subject to PCI DSS?
- Compliance Risk – Is your vendor subject to other regulatory compliance standards such as the previously mentioned PCI DSS or HIPAA?
- Geographic Risk – Could the country that your vendor operates in expose them to certain other risks? Is there a high rate of organized crime, lack of government oversight, or frequent instances of public corruption?
- Downstream Risk – Who is your vendor contracting with to complete their tasks for you? Who are those fourth and fifth parties, and what risks do they bring to the table?
These are but a few segments of risk that you could determine are of significant worth to your enterprise. While not quite the same, our next section touches on something equally important.
Assess for Criticality and Replacement
In addition to developing a specific risk profile against which you will evaluate your vendors, it’s also extremely important to evaluate just how critical your vendors are to your continued business operations. A good example of critical vendors would be network security providers, payment processors, or payroll services. If the vendor would cause a substantial disruption of your business if they were compromised, failed to deliver their services as agreed upon, or you needed to bring their services in-house, then this vendor is highly critical.
The second portion of this evaluation step is to assess the ease with which you can replace these critical vendors. If you have a moderately critical vendor that is extremely difficult to replace in a reasonable amount of time, that’s likely going to be more concerning than a highly critical vendor that can easily be replaced.
This criticality and replacement evaluation is an often overlooked metric in the risk assessment process, especially when considering that vendor risk management for small businesses is often conducted by available in-house personnel and not subject matter experts. This second step will serve to inform your entire ongoing vendor management program. Even if your risk assessment results in a low score, a critical vendor will still need enhanced levels of due diligence and continuous monitoring. This is doubly true if your critical vendor is not easily replaceable.
So What Do You Do With All This Information?
After dialing in the details that you need to evaluate your vendors with, how do you actually develop the screening metrics that your vendors will be scored with? Well, the most common method of vendor risk assessment is a questionnaire. There are a number of resources that you can leverage to pull questions from that will guide you according to various regulatory guidelines. That is a good place to start, but cookie-cutter questionnaires are just as easy to bluff as they are to make.
It’s a great idea to take a whole enterprise approach to risk management, and this is the perfect opportunity to do so. Even if you have outsourced your third-party risk management tasks, you can still touch base with stakeholders in the various departments of your company to determine where they are exposed to the greatest supplier risk and tailor your questions to those areas. Members of IT, compliance, security, purchasing, and others are all potential sources of information.
Questionnaires Are Not Enough
We get it. Questionnaires are fast to distribute, easy to automate, and they check the box nicely. When it comes to inherent risks, they do a fair job of detailing what you may be facing with certain vendors. However, they fall short when you are focused on identifying risks that are more pervasive or entrenched within a vendor, and if the vendor is less scrupulous and not averse to outright falsification, a questionnaire can be spoofed. This doesn’t even take into consideration the fact that a questionnaire is a point-in-time evaluation and may not accurately represent the current risk profile of the vendor.
For moderate to high-risk vendors or those with highly critical positions, you need to take things a step or two further. Interviews with key personnel, virtual tours, site visits, and financial statement audits are all options that can be brought to the table based on the specific vendor relationships that you’re evaluating. The key here is not to limit yourself when evaluating a high-risk or critical vendor. Identifying residual risks will benefit both parties in the relationship as long as communication lines are being properly used. And this brings us to our next point.
Communication During the Vendor Risk Assessment Process
Communication is integral to success in the business world, and we are referring to both internal and external communication. Within your enterprise, everyone from the board to the C-suite and down should be looped in on pertinent risk management concepts and tasks. Externally, you should have a feedback mechanism in place as a part of both your risk assessment and continuous monitoring programs.
Allowing your vendors and potential vendors the opportunity to remediate any residual risks identified by your processes will both increase transparency and prevent you from torpedoing a potentially beneficial vendor relationship before it even starts. This also gives your vendors an added incentive to be forthcoming knowing that challenges will be tackled together and not simply result in the termination of a contract. We also recommend that you maintain a list of common risk remediation tasks that can be readily forwarded to potential vendors when risks are identified. This helps to streamline the process as opposed to having to reinvent the wheel with every new vendor risk assessment process.
Automation and Subject Matter Experts
This is a lot of information, especially if you’re an executive in a small business without specialized personnel readily on hand to tackle these tasks. There are a host of vendor management programs that integrate some automated features that can take some of the pressure off of your own employees. Whether it’s pushing out questionnaires to potential vendors, highlighting outlying responses, triggering review protocols, or indicating when contact information should be updated, any assistance that you can provide for your risk management staff will be beneficial.
In addition to automated vendor management programs, security scorecard ratings can provide a much-needed independent rating of the security posture of your vendors. Taken into consideration with the rest of your assessment process, these ratings can give you another perspective to consider.
At Venture Lynk, we provide customized vendor risk management solutions to businesses of all sizes. Our staff of subject matter experts can develop a custom risk assessment process, onboard your vendors, or even conduct continuous monitoring from within your own vendor management program to free up your personnel for tasks that they are better suited to.
