What is Vendor Risk Management?

What is Vendor Risk Management?

  • November 10, 2022

Vendor risk management is a process companies use to identify, manage, and monitor ongoing risks associated with a vendor. 

Because 58% of companies believe they have suffered a data breach due to vendor access, the importance of having a solid vendor risk management plan in place cannot be overstated. 

Organizations often work hand-in-hand with outside vendors to cut down on costs or better serve customers. And because sharing access to sensitive information with vendors often can’t be avoided, organizations need to do so in a way that maintains their own security.

A well-appointed vendor risk management (VRM) process not only helps protect your organization from various types of threats, it also helps set clear expectations with vendors that can improve communication and foster a more productive partnership. 

In this primer, we’ll explain what vendor risk management is, common risk types, how to implement a plan within your organization, and best practices to develop your own vendor risk management program. 

Why is vendor risk management important?

Gone are the days when a written agreement or a signed NDA provided enough protection for organizations sharing sensitive information with an outside vendor. With the growing frequency and sophistication of cyber attacks, it’s imperative that companies put the same amount of scrutiny on the risk management practices of outside vendors as they do their own.

While the compliance landscape continues to evolve, many organizations aren’t keeping pace with industry standards. In a 2019 survey conducted by Compliance Week and Aravo, 43% of surveyed practitioners claimed that their board didn’t have a good handle on third-party risk. 

Not having a clear-cut vendor risk management process can cost companies dearly. Data breaches caused by third parties cost organizations an adjusted average of $4.29 million in 2019. 

When companies choose to enter a partnership with a third party, they open themselves up to increased digital risk and, by extension, increased enterprise risk. Beyond that, industry regulations such as the General Data Protection Regulation (GDPR) and the New York SHIELD Act are solidifying the necessity of creating and maintaining ongoing VRM best practices.

Types of vendor risks 

As you begin to build your vendor risk management process, it’s important to understand the types of risks your organization faces. Understanding which types of risk are most critical to your business will help you better understand your risk exposure when working with outside vendors. 

Cybersecurity risk: This type of risk involves the susceptibility of an organization to damage from cyber attacks resulting in loss of data and reputational harm. This type of risk includes three components: threat (the entity carrying out the attack); vulnerability (the area of weakness that the threat can exploit); and consequence (results of the vulnerability being exploited). 

Cybersecurity risks include ransomware attacks, malware, phishing, denial-of-service attacks, and even insider threats, to name a few. A recent example is the March 2021 ransomware attack on CNA Financial Corp. The company ended up paying $40 million to regain control of its network. 

Compliance risk: Compliance risk comes from a violation of laws, regulations, and internal processes that a company must follow. These will vary by industry, but common compliance frameworks include HIPAA and PCI. Failure to comply with these regulations often comes with a hefty fine, so it’s important that any third-party vendors or service providers you work with are also in compliance. An example of this is Marriot’s 2019 fine of more than £99 million for infringements of the GDPR that resulted in a cyber attack that exposed the personal data of over 339 million guests.  

Reputational risk: This type of risk is associated with the public perception of an organization that can suffer in the aftermath of a data breach or insecure data handling that’s not up to industry standards. An organization opens itself up to reputational risk damage if questionable ethical practices or poor crisis management is brought to light. 

Financial risk: This type of risk a company faces by doing business with another organization that, should they be breached, would cause financial risk. This could include lost revenue or excessive costs, both of which can hinder the growth of a business.   

Operational risk: Operational risk could involve the business interruption of a third-party vendor that disrupts your own organization’s operation or flawed process, procedures or policies. An example could include your third-party vendor experiencing a ransomware attack or a natural disaster impacting the supply chain.  

Strategic risk: These types of risks are associated with or created by a company’s business strategy or business objectives and changes to technology, personnel, or events that could impact the defined strategy and objectives. Third-party vendors come into play with this type of risk when decisions made or changes to their operations do not align with your company’s objectives or security requirements. 

Key performance indicators (KPIs) and key risk indicators (KRIs) can be helpful tools to measure and monitor a third-party vendor’s performance over time to ensure changes to their business objectives or strategy aren't impacting your own company goals.

The benefits of vendor risk management

The most obvious benefit of a solid vendor risk management plan is to minimize risk to an acceptable level. This allows you to focus on driving value from third-party partnerships and maintaining a positive public image.

Creating a vendor risk management process requires an initial investment, but the costs associated with not having one (data breaches, regulatory compliance fines, disruptions in business continuity, etc.) can often cost much more. Having a vendor risk management plan can help identify vendors that do not have a strong enough cybersecurity program to meet a defined required security standard for protecting customer data. 

A vendor risk management plan will often introduce more steps to your vendor onboarding process because each vendor will undergo a due diligence process during procurement. However, having a step-by-step process for collecting information, creating vendor profiles, assigning risk categories, and communicating with vendors can help streamline the process. 

In terms of information security, having a vendor risk management program in place helps your organization understand how data flows, where it’s stored, and how to manage access to that information.

What is a vendor risk management plan? 

A vendor risk management plan is a step-by-step program that a company adopts in order to identify, measure, monitor, and reduce the risks associated with an outside vendor. The plan clearly lays out the expectations a company has when it comes to vendor behavior and access to data. 

The process begins with a due diligence exploration of a vendor’s risk profile. Vendor risk assessments are used to identify any potential risks and better understand how data is shared before entering into a legal agreement. Due diligence can include reviewing vendor compliance reports and the attestations of compliance to requesting vendors to perform a vendor security questionnaire and reviewing results.  From there, a process should be in place to consistently monitor your vendor's security posture and identify potential threats before they impact your business. 

Vendor risk management plans may look a little different depending on your organization’s industry, but they often include a contract between the two parties detailing terms of use and a responsibility matrix determining how customer data and services are managed throughout the partnership. 

To ensure your vendor risk management plan is successful, it’s important to have internal teams work together to help coordinate best practices and document risk. This includes HR, legal, compliance, and any other teams that are involved in shared responsibilities with the vendors.

What is the Third-Party Risk Management lifecycle?

As you create your vendor risk management plan, it’s helpful to understand how those vendor relationships will evolve over time. That process includes:

  1. Planning: The planning phase is an opportunity to design a vendor risk management program that’s tailored to your organization’s unique needs. Think through your organization’s goals for managing vendor risk and outline new tasks, responsibilities, and workflows that will need to be adopted for your vendor risk management plan to move forward. This is also a chance to rethink how previous vendors were chosen and onboarded and implement a standard for how onboarding will be managed in the future. The planning phase could also include the creation of a vendor inventory and the classification of each vendor into a risk tier. 
  2. Vendor selection: Due diligence must be performed before entering into a contract with a vendor. This is the point where you should ask questions around their data protection practices or obtain attestations of compliance. Example questions include what type of training they do internally to mitigate risk and how often they perform internal risk assessments. 
  3. Contract negotiation: Once a vendor has been selected, a contract should be drafted that outlines the expectations and responsibilities of each party. Topics to cover include reporting and data governance, mitigation of any risks identified in the vendor selection process, performance expectations, and disaster recovery planning. This is also an opportunity for both organizations to get aligned on the work you’ll be doing together, how it will be done, and how it will be audited.
  4. Vendor onboarding: During this phase, your organization should gather as much information about the vendor as possible. This is used to create a robust vendor profile. The onboarding stage is also the time to set up the vendor within your organization’s workflows, introducing the vendor to the tools and software they will be using, and sharing necessary access.
  5. Continuous monitoring: Throughout the vendor relationship, your organization should be monitoring vendor compliance and performance to help eliminate risks. Compare performance against the contract in place as well as the industry standards for security to ensure your vendors remain competitive.  
  6. Vendor offboarding: At the end of the vendor term, the contract should be reviewed again to ensure that all obligations have been met. Offboarding can then take place, with careful consideration regarding data preservation and disposal.

How to implement a vendor risk management program

After identifying the need for a thorough vendor risk management program, it’s time to map out each step of the process. 

1. Understand your vendor’s risk factors 

The first step is to get a clear picture of the risk types a vendor may pose in regard to your organization. Collecting as much information as you can during this due diligence stage will help you build a risk profile for each vendor. 

You can do this by listing out all of the vendors you work with and prioritizing them by the threat each poses. Consider the level of access they may have to internal data or your organization’s ability to function if the vendor were to shut down for a period of time. 

A few questions to ask during this stage include:

  • What type of data is shared with the vendor?  
  • How are we sharing that data?
  • Who has access to this data?
  • How is that data stored?

Once risks have been identified and categorized, you can assign risk levels to vendors. One way to do this is to look at the impact of a risk and the probability of it occurring. 

From there, you can organize vendors into tiers:

  • Tier 1: High risk, high criticality
  • Tier 2: High risk, medium criticality
  • Tier 3: High risk, low criticality
  • Tier 4: Medium risk, high criticality 
  • Tier 5: Medium risk, medium criticality
  • Tier 6: Medium risk, low criticality
  • Tier 7: Low risk, high criticality
  • Tier 8: Low risk, medium criticality 
  • Tier 9: Low risk, low criticality 

Manual tiering is a popular route that provides organizations with greater flexibility and personal preference. Organizations can also use tools such as security questionnaires to score a vendor’s risk potential.

2. Review the right security framework for your organization

After identifying the risks vendors pose to your organization, it's time to review the security framework that is most relevant to your company. For example, if your vendor processes debit or credit card payments, you’ll want to ensure they are in compliance with the Payment Card Industry Data Security Standard (PCI DSS). If you operate in the healthcare industry, you’ll want your vendor to be compliant with HIPAA

3. Prepare contracts for your vendors

Working closely with your legal team, you’ll want to create contracts that outline the specifics of your business relationship and compliance expectations you hold for your vendors. 

Companies often have templates they use when writing contracts for vendors, but it’s important to tailor specifics of the contract to your vendor and the relationships you both share. 

4. Set up an internal vendor risk management team

Dedicating a team to work with vendors can help with communication, as well as streamline the ongoing monitoring of vendor relationships. This often involves hiring experienced risk managers or training current employees on vendor risk management practices. 

This team should own the setup of the vendor selection process, including creating documentation for choosing future vendors, collecting vendor details, and establishing ongoing reporting processes. A reporting process with vendors could include identifying any vulnerabilities and quickly resolving them. 

5. Monitor and refine your program over time

Once you begin collecting vendor information and tracking risks over time, your organization can make adjustments to improve the overall vendor relationship management process.

Vendor risk management best practices

To ensure your vendor risk management program is set up for success, here are a few best practices to keep in mind:

  • Conduct a thorough exploration of a vendor’s risk management practices before signing a contract: Security questionnaires should be completed before agreements are in place to understand a product’s or service’s function,  how it’s designed, and how data flows. This also provides an opportunity to learn more about the vendor’s reputation. 
  • Ensure the vendor contract covers all necessary categories: If questionnaire results are satisfactory, then legal agreements should be created that include the agreed upon security standards and obligations. 
  • Create consistent compliance and security training within your own organization: Often, data and security breaches happen through human error, so providing ongoing security awareness education can help lower the internal risk of a problem occurring. 
  • Monitor fourth-party vendors: There’s a good chance your vendors are also using vendors, which opens the door to fourth-party risk. While you won’t have contracts with these vendors, you can ask vendors for attestation for compliance against frameworks such as SOC 2, which will require vendors to conduct their own due diligence on the vendors they work with.

Why you should automate vendor risk management

The vendor risk management process can be a heavy burden on your organization. Risk assessments and ongoing monitoring of vendors can require employees to spend countless hours sifting through data. 

Automating this process can not only save your organization time; it can also speed up the process of assessing a vendor’s risk profile and onboarding new vendors. And because 60% of organizations are now working with more than 1,000 third parties, reducing the risk of human error is also an attractive benefit of vendor risk management automation. 

When looking for an automated vendor risk management product, look for one that offers an easy-to-use platform in addition to a team of security and compliance experts to guide your organization through every step of the vendor risk management setup process.

How Secureframe can help companies manage vendor risk 

Secureframe is able to integrate with dozens of common vendors you're already using, retrieve their security information on your behalf, and provide a detailed report of their risk profile.

Automating this repetitive, labor-intensive process can greatly speed up vendor evaluations and onboarding processes. Secureframe’s team of compliance experts can also help you complete faster risk assessments with auditor-certified security questionnaires. 

To find out more about how Secureframe can improve your VRM process, request a demo of our platform today.