Vendor risk management (VRM) is the practice of evaluating business partners, suppliers, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is an important concept and practice to put in place during the evaluation of your vendors and the procurement process.
When an enterprise outsources business processes to an external vendor, sensitive data may be transmitted, stored and processed on both company and vendor networks. Regulations such as the Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and the Health Information Portability and Accountability Act (HIPAA) mandate that risk management policies extend to third-party vendors, outsourcers, contractors and consultants.
In an increasingly complex regulatory environment, an organization's approach to VRM can significantly affect its ability to achieve its goals. Many organizations have a mandate from regulatory bodies to understand the risks posed by their vendors and fourth parties, while also keeping pace with regulatory changes.
Technology plays an important role in this effort by helping companies map vendor risks to the associated regulations, controls, internal stakeholders, and vendors, thereby improving risk transparency and accountability. It also helps ensure that companies have all the information they need to meet the demands of a changing regulatory environment. And finally, it streamlines the flow of vendor risk and compliance data, so that the right information reaches the right stakeholders at the right time.
What to Include in Your VRM Strategy
Your VRM strategy should include a contract that outlines the relationship that will exist between your business and the
vendor. Because of the increasingly interconnected nature of global supply chains and flow of data, there should also be
clear guidelines around who has access and control of sensitive information.
A key, yet often overlooked, feature of vendor risk management is understanding your vendor's cybersecurity program. This allows you to understand how well they're going to be able to secure your data, both from a physical and cyber perspective.
The vendor must also agree to and comply with any regulations that pertain to your industry. Finally, to ensure that all these contract requirements are met, vendor performance must be monitored on a continuous basis.
Vendor Risk Management: Addressing the Risks
Below is an overview of the many risks that third parties can bring to your enterprise:
Third-Party Legal Risk
There are many legal risks associated with sharing sensitive information with third parties. For instance, if your vendor
is breached and you lose your customers' personally identifiable information (PII) like social security numbers or health
care records, the law clearly states that you are responsible - not your vendor. Or, if you fail to spell out security
expectations in your vendor contract, you may have no legal recourse whatsoever if your vendor compromises your data.
Third-Party Reputational Risk
So much of third-party vendor risk management is based on reputation. Be sure to ask a lot of questions at the beginning
of the vendor procurement process so that you can weed out the businesses you'd rather not work with. In addition, you
should also monitor news feeds during the procurement process. After all, you would want to know if a business associate
has been hit with a lawsuit during the time you were engaged with them and how that could affect the performance of their
contract with you. And don't forget about the reputational harm that could affect your company if your customers' sensitive
information is stolen due to an insecure vendor.
Third-Party Financial Risk
If a vendor has a poor financial record or past performance, you'll want to know that information before engaging in a
business relationship. That's why a lot of companies do credit monitoring for their vendors. You'll also likely want to
ask other organizations who have previously done business with the third-party in question for references. This way, you'll
be able to clearly evaluate the vendor's project plan and all the different things they're planning to do before entering
into a contractual relationship.
Third-Party Cyber Risk
Of the various risks a vendor poses, there are some things you need periodic updates on, which are relevant only at certain
points of a business relationship. If you've established a vendor's credit worthiness at the beginning of the process, for
example, you'll likely feel quite comfortable about their financial standing during the rest of the process. This is a good
example of how some elements of vendor risk management do not require continuous monitoring.
Cyber risk
Cyber risk is unique in that things can happen on a moment's notice which could catastrophically damage your organization.
You simply cannot rely on periodic or infrequent snapshots and assessments of your vendor's health to understand cyber risk.
The thing that makes cybersecurity "special" is that it can pose financial, reputational, and legal risks.
Recommendations to Manage Vendor Risk
Managing a single vendor can be challenging; managing lots of vendors can be overwhelming. Putting processes and procedures
in place to manage vendors can significantly reduce the associated risks of using vendor.
Centralization:The first step to managing vendors is to centralize the management of all vendors. You need to have a
single repository for managing all of the documents and data associated with your vendors, including service level agreements
(SLAs), statements of work (SOWs), and contracts. All of this information needs to be readily available and easy to access
by staff who manage those vendors.
Screening: All vendors should be screened and go through a standard due diligence process prior to onboarding. This
screening process can be regularly reviewed and updated as needed.
Risk Scoring: Every business needs its own unique risk scoring metric to help prioritize the aspects that are most
critical for vendors to meet. While this will vary based on the nature of the work that the vendor will perform, the
score should reflect things like compliance, information security, and quality control.
Ongoing Assessments: Screening does not end with the on boarding process - it should be continued throughout the life
of the contract. You can set up alerts and reports to compare your vendors against national and international lists,
including regulatory and watch lists, to ensure that problems with your vendors are found as early as possible.
Vendor management extends beyond daily activities. As we've shown, there are many risks associated with relying on vendors - and the more essential the vendor service or product, the greater the risks. To ensure that your company is not exposed to unnecessary risks, compliance issues, or negative publicity, risk management needs to be a core part of vendor management.
A solid vendor risk management strategy should include:
- A contract outlining the business relationship between the organization and the business.
- Consistent monitoring of vendor performance to ensure that contract stipulations are being met.
- Guidelines regarding who will have access to what information as part of the vendor agreement.
- Stipulations to ensure that vendors meet regulatory compliance guidelines for your industry, and a method to monitor this compliance.
A risk management strategy provides a structured and coherent approach to identifying, assessing and managing risk or uncertainties followed up by minimizing, monitoring and controlling the impact of risk realities or enhancing the opportunity potential by applying coordinated and economical resources.
Our experts partner with clients on corporate planning, providing perspective not only on immediate value and impact, but on long-term implications. We work closely with management and other advisers to leverage and complement their knowledge and ensure maximum impact, and actively support implementation and skill building.
