In Part One of our blog series on vendor risk management (VRM), we looked at some of the hurdles organizations face when it comes to vendor risk management. One of these challenges was overcoming complacency with your VRM program. VRM should be a growing, evolving part of risk management, and without regular assessment and improvement, it won’t be able to effectively inform and protect your business. In Part Two of this series, we will walk through the critical steps of identifying and profiling vendors and look at the important role vendor profiling plays in identifying vendor risk, strengthening your VRM program, and finding opportunities for improvement.

Step 1: Performing Pre-Contract Due Diligence

A VRM program ensures that the use of third-party service providers does not carry an unacceptable risk of business disruption or otherwise have a negative impact on business performance.  In order to carry out this responsibility, your program must have processes in place to carefully evaluate vendors before they partner with your organization.

The first step of this process is identifying the need for a third-party service provider. The two most common reasons for choosing an outside service provider are 1) the opportunity cannot be met by in-house employees or 2) it is more cost-effective to outsource. Identifying a specific need (or needs) will help you then establish the type of relationship your organization will have with the vendor.

Before inking a deal with your new vendor, your organization needs to do its due diligence. Proper due diligence requires organizations to identify who within the organization has the authority to determine a service need and who will act as the primary point of contact for inquiries related to the third party.  

When selecting a third-party vendor, organizations should consider the vendor’s reputation, experience, history of incidents, and corporate policies and procedures, particularly as they relate to data security and privacy.

When issued as part of the due diligence process, third-party questionnaires can provide valuable insight into a vendor’s security measures and policies. Before determining the questions to ask in the survey, it’s important to consider how this vendor will interact with your data. Will they be collecting, assessing, processing, transmitting, or storing any of your data? If so, your organization will need to evaluate the potential privacy and security risks that may arise if you initiate a relationship with this third party.

 

Step 2: Creating a Vendor Risk Profile

As we saw in Part One of this series, the average number of vendors per company is growing, third-party threats are evolving, and regulatory requirements are constantly changing, which means VRM is becoming more and more complex. Therefore, creating a comprehensive risk profile for each vendor is a critical step for protecting your organization. Your vendor risk profiles should answer the following:

  • What services does the vendor provide?
  • How essential are these services to your organization?
  • What will be the length of the relationship you will have with this vendor?
  • What kind of data will the vendor have access to? Will the vendor store any of this data, and if so, how much?
  • Which internal systems and applications will the vendor require access to? What network access does the vendor require?
  • What would the business impact be if there was a breach or the data was compromised through a third-party breach?
  • Can you use the answers to these questions to assign the vendor a risk score of high, medium, or low?

Many organizations rely on the use of vendor questionnaires to help them answer these questions and build risk profiles. In addition, regular assessments of your vendors are a critical part of vendor risk management, and completed risk profiles are valuable resources during these assessments.

During the vendor onboarding process, your contract should include expectations and obligations around risk management, such as:

  • The timeframe for the agreement and performance standards;
  • The level(s) of access the vendor will have to the data it will be handling (processing);
  • Specifications and frequency of when and how vendor will receive data;
  • Service expectations of the organization on the vendor, including any possible additional services such as software support and maintenance;
  • Authorization for the organization to audit and monitor vendor at any given time; and
  • Cost and compensation between the organization and the vendor for its service.

These contract terms should be included in the risk profile, so you can easily review the important details of the contractual relationship that may affect a vendor’s risk score.

 

Step 3: Using Vendor Profiles to Address VRM Risks

You can use these vendor profiles to build a risk tolerance structure, which allows you to determine the level of risk to your organization by measuring the probability or likelihood of risk against the consequence severity. These vendor profiles can help your organization determine whether vendors are low risk or high risk, so you have a system that enables you to prioritize vendor risk appropriately and develop a targeted strategy to address these risks. This ranking system brings a number of significant advantages:

  • Your organization can make better decisions around vendor selection and security and privacy.
  • Your organization can place defined requirements on third-party vendors that will protect critical data.
  • Your organization has the ability to prioritize vendors based on risk and to develop a clear strategy to manage and address these risks.

For low-risk vendors, a periodic self-assessment or questionnaire may be a sufficient way of monitoring the security measures of a vendor. However, when it comes to higher-risk vendors, one best practice is to perform regular in-depth, on-site audits of their policies and procedures. You can then leverage your vendor profiles to categorize vendors based on risk and focus your audits on the vendors that need the most attention. Audit expectations should be set by your organization during the contracting process, so your vendors are aware that you have the contractual ability to audit their policies and processes at any point in time and that your requirements may change over time. It is critical that your organization uses its right to audit higher-risk vendors regularly, so that it is fully aware of any changes to their operations, technology, or security measures.


Building a successful VRM program is an ongoing process that constantly cycles through identifying, selecting, evaluating, and monitoring third-party relationships. In the end, organizations must remember that they are ultimately responsible for the security of their data, even when it’s being processed outside their walls. It is incumbent upon each organization to ensure that they are analyzing and mitigating risk at each stage of each vendor relationship. Security and privacy threats are always evolving, and although there is no way to guarantee an incident won’t occur, a VRM program will greatly assist the organization in mitigating the risk and minimizing the impact a possible breach may have.

Focal Point specializes in helping organizations build, assess, improve, and manage their VRM programs. Talk to an expert today and learn more about how we can help. 

Learn More

 


Want privacy and security updates and insights delivered straight to your inbox?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.