Vendor risk management (VRM) is rapidly emerging with ever-evolving cyber security strategies. As we hit the pandemic and try to manage critical operations in a remote work setup, each day, business entities challenge with the new security, privacy, and business continuity risks associated with their vendors.
But this challenge would not stop the demand for hiring third-party vendors. With a more incredible speed, the global pandemic approaches the information technology realm. The work-from-home requirement is rapidly increasing a significant reliance on vendors, mainly for cloud providers.
These conditions make vendor risk management a vital concern for business operations. For effective vendor risk management, there are multiple factors considered for assessing the vendor that varies in terms of the company’s infrastructure, business objectives, jurisdictions it operates and applicable laws.
There are some common yet essential VRM best practices that every business should refer to in its risk management strategy. This article will discuss these best practices in greater detail.
What is vendor risk management (VRM)?
Vendor risk management (VRM) is a risk management process that identifies and mitigates potential business risks faced by companies while dealing with external vendors. Vendor risk management gives a complete insight into the vendor’s infrastructure, processes, and ability to deal with cyber security or data privacy risks.
Why do you need VRM (vendor risk management)?
In practice, vendor risk management has always seemed to be a significant compliance barrier because of its regularly evolving changes with the vendor processes. Either it is an onboarding and offboarding process, due diligence, the request for proposal (RFP) process, legal liabilities, contractual obligations or continuous monitoring.
Furthermore, dealing with the vendors for business transactions always impose high-risk factors resulting from the unreliable relationship between the business entities and vendors.
Large companies and small and medium enterprises outsource vendors for human resource management, employee compensation, customer relationship management, or enterprise resource planning. Having these vendors would also increase the second-tier vendor that would be a supplier for the tier 1 vendor. This hierarchy would create a complex vendor supply chain that an effective vendor management program could only manage.
With an effective vendor risk management program, business entities strengthen their compliance programs and better understand the interworking vendor relationships that their organisation relies on to perform daily business operations.
A simple employee screening or background check is not enough information to comprehensively assess a potential vendor and to determine whether that third party vendor is reliable to work with. It is recommended to seek a depth of diligence that includes leveraging global data assets on entities, including legal name, organisational structure, parent and umbrella companies, terms of all beneficial owners, and industry. This allows organisations to understand the entire infrastructure behind a specific vendor and follow their risk at an even better level than through the enterprise vendor risk assessment.
How do I create a better vendor risk management program?
The motivation behind performing vendor risk management is to identify all the possible risk factors associated with the vendor and timely mitigate them. An effective vendor risk management program would take this approach and boil down the following factors in its VRM program to decrease the risk exposure and avoid business disruption:
- It is developing a risk appetite statement to define the company’s risk appetite. Once the company identify the threshold of its risk appetite, it can understand what kind of vendor risk it can bear and what type of risk it should avoid.
- Managing risks for an individual product or service offered by a vendor to minimise operational risks.
- Choosing a framework for vendor assessment to define the roles and responsibilities while handling vendor risks.
- It is identifying the risk types that are a concern to a company’s business operations. Not every risk needs to be assessed as the assessment depends upon the business process and its outcome. So every VRM program should define the risk levels to eliminate the high and medium risk factors.
- We are creating a comprehensive vendor inventory to track critical attributes defined by a business entity.
- They are classifying and ranking each vendor based on the criticality of their systems and services.
- It is conducting risk assessments regularly to mitigate the potential risks before it gets exploited.
- We are tracking key terms in vendor contracts.
- They are reporting on relevant vendor-related metrics.
- We are monitoring risks and vendor performance continuously.
Vendor risk management best practices
1. Identify the risks a company may concern the most
While dealing with vendors, there are several vendor risks a company should take into consideration in its vendor risk management programs, included but not limited to:
- Strategic risk
- Cybersecurity risk
- Operational risk
- Compliance risk
- Financial risk
- Geographic risk
- 4th-Party risk
- Replacement risk
- Privacy risk
- Reputational risk
- Business continuity risk
- Performance risk
- Environmental risk
- Concentration risk etc
It should be noted that based on the organisational structure and business process, a company should identify which category of risk should be addressed first. Most of the time, companies may not track all of the risk categories mentioned above.
For example, if you are a company operating in the financial sector, understanding a vendor’s risk for potential bribery can be a great starting point for effective VRM.
As a best practice, business entities may identify the first five categories of the risks mentioned above, i.e. strategic, cybersecurity, operational, compliance and financial.
This should not be forgotten that monitoring and mitigating a large number of risks would be tiring and may not maintain the balance between business operations and its defensive safeguards to avoid disruption.
So gradually managing vendor risks based on the products, services and operations will have a greater understanding of the company’s overall risk exposure to third-party vendors.
2. Assess risk management vendor services and products separately
A vendor may offer different products and services, each imposing various kinds of risk factors and having separate security measures. Even the same vendor has different security measures based upon their products and services, which require an independent assessment.
For example, Salesforce CRM and Salesforce Pardot are two separate products sold by the same vendor Salesforce. In this case, the vendor is the same. However, the products are different, i.e. CRM and Pardot. Each product has its separate compliance obligations and a different set of implemented security measures.
Let’s take an example for service. We can see that Amazon is extensive manufacturing and supplying industry that may be considered a low-risk vendor while getting goods and supplies for a business. The same company would become a high-risk vendor when business entities host their Amazon Web Services AWS cloud-based applications. So Amazon as a supplier would not require many efforts in vendor management but the same vendor in the latter example present a much greater risk.
3. Determine the data types involved with the vendor
Before contracting with any vendor, the possible data types involved in the services should be identified. Identify whether any personal or sensitive data is exposed to the vendor and what regulations the vendor must comply with.
Describe how much access to IT or data systems the vendor require and whether it access sensitive data. Consider the scenario in your risk management where the vendor will access a crucial database, and its exposure could prove catastrophic for the business entity.
4. Maintain accurate vendor inventory
Separate vendors by risk level they possess by evaluating their safeguards, business practices, policies and procedures. List down all vendors into a single system of record for better vendor risk assessment. Once the vendors are categorised with the ranking, compare it with the risk appetite of the business and plan which vendors require more consideration.
From there, manage most critical vendors first and further document which vendors they use to support the product or service they are providing you (i.e. second-tier vendors).
5. Pick a proper assessment framework
It should be noted that there is not an ideal assessment that works for everyone. There are many vendor assessment standards or frameworks used by the industry. However, organisations may find the proper assessment framework that works for every entity doing business.
Also, the consideration of data protection and privacy regulations should be taken into account. Common industry assessment standards and regulations include but are not limited to:
1. System and Organisational Controls (SOC)
SOC require companies to communicate with external vendors regarding matters affecting the functioning of internal control.
2. Payment Card Industry (PCI)
PCI compliance is mandated for credit card companies require to put two-factor authentication for vendor remote access, ensuring if vendor’s employees are trained enough to be aware of attempted tampering and prohibiting the cardholder data from being copied, moved, and stored onto local hard drives of an external vendor.
3. ISO/IEC 27001
The International Organisation for Standardization (ISO) and The International Electrotechnical Commission (IEC) require companies to have separate controls in terms of information security in supplier relationships and supplier service delivery management.
4. General Data Protection Regulation (GDPR)
GDPR requires the EU and UK entities involved in the processing of personal data to sign a data processing agreement between an organisation (who collects data) and any third parties (who provides services) that personal process data on their behalf.
5. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA require all the concerned entities to address the privacy of their protected citizens. It may require business entities to restrict the use and disclosure of protected health information without seeking prior authorisation.
6. California Consumer Privacy Act (CCPA)
The Californian Privacy Act CCPA mandates its business entities to provide consumer rights with the corporation of its service providers. These rights are :
- The right to know about the personal information about them and how it is used and shared.
- The right to delete personal information collected from them (with some exceptions).
- The right to opt-out of the sale of their personal information.
- The right to non-discrimination for exercising their CCPA rights.
6. Automate vendor management process
Manual vendor management requires a lot of time and human resources. To get free from this hassle, a cost-effective approach is automating the actions involved in managing vendors. Automation examples include pre-designed assessment templates, auto-flagging risks, assigning risk appetite, easy collaboration with stakeholders and triggering assessments based on a newly identified risk or an expiring contract.
7. Create assessment questionnaires to get responses from the vendor
Business entities should provide a comprehensive questionnaire for vendors to assess their procedures and infrastructure. Make the more straightforward process to get the vendor’s response on the questionnaire via automation tools or constructive meetings. Consider the following questions in your questionnaire:
- How will the services be provided?
- How will the vendor deliver the proposed services: what IT systems, data, and network design will it use?
- What protections do the vendor offer?
- What are the vendor’s current information security procedures?
- Will the vendor subcontract any services? If so, what are the subcontractor’s security procedures?
8. Periodic due diligence and ongoing monitoring
Perform vendor due diligence on an annual basis to track yearly vendor performance with each vendor. Review the vendor’s financial statements once released and define an audit process, either third-party audit reports or vendor self-assessments. Ongoing monitoring is an integral part of vendor risk management that will help ensure all vendors align with regulatory, legal and contractual standards.
The demand for hiring external vendors will never go down because of its perks and cost-effective solutions. Organisations may need to have healthy and robust vendor relationships to gain better value for their business. Moreover, to avoid any risk factors associated with vendors, the need of having an effective vendor risk management program emerges.
This article discussed some standard best practices for managing external vendors and pointed out important factors that needed to be in a VRM program, including identifying internal risks, maintaining vendor inventory, determining data before disclosing to the vendor, and adopting an industrial standard for achieving the ideal state of VRM.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.