Launching a Vendor Risk Management Program with Limited Resources

Financial services and other highly-regulated companies have been running vendor risk management (VRM) programs for years to meet regulatory demands. While these types of organizations have large, dedicated teams running sophisticated programs, other industries are understanding the importance of VRM, but don’t have the wealth of resources to develop elaborate programs from the start.

Recent research from EY shows that 30 percent of organizations have experienced a third-party breach within the past two years. With third-party data breaches affecting organizations of all sizes and industries, a systematic, repeatable VRM program is necessary to help safeguard organizations of all sizes from an attack.

Yet, launching a VRM program can seem daunting — especially when only one or two people are tasked to monitor and assess hundreds (or thousands) of vendor relationships. The good news is that establishing an effective vendor risk management program is achievable with the right plan — one that lets small teams start with a manageable scope, build a framework for success and expand and improve over time.

The first step to success is for teams to make the business case for vendor risk management automation. Having a centralized repository for maintaining vendor information and risk-related documentation, as well as automated workflows to streamline otherwise tedious VRM activities, will allow the team to assess a larger portion of the vendor population.

Once established, teams should focus on implementing a standardized, automated process for onboarding third parties and identifying the highest risk vendors, using the following steps as a baseline.

Identify All Third-Party Relationships

Identifying third parties — the external vendors, suppliers and partner network that make up a supply chain — is the first step. To do this, teams should start by figuring out what vendors are on the payroll. Because risk can come from any third party, regardless of their size or function, it’s important to compile a complete list of vendors, both large and small.

In addition to this list, teams must also identify the line of business (LOB) contact who owns each third-party relationship to help determine inherent risk to appropriately scope the assessments. These LOB contacts will be helpful when issues arise, or future third-party service reviews are required. Automation and self-service solutions will also help to facilitate and centralize the exchange of critical information to effectively manage the third-party relationship.

Onboard All Vendors

Establishing a formal onboarding process helps teams to decide whether the organization should be doing business with a third party, based on how they expose the organization to risk. Upon program implementation, it is important to put all existing vendors through the onboarding process. Once this is established, teams can use the same process to onboard any new vendor requested by LOB contacts moving forward.

Quantify Inherent Risk

While all third parties need to be onboarded, they don’t merit equal attention. Vendors that provide critical services or handle sensitive data carry a higher degree of inherent risk and require more thorough vetting through an inherent risk questionnaire. These initial risk questions should align with a scoring system that indicates whether the vendor carries meaningful risk that requires more than a cursory review. Software can provide an intelligent review process to quickly and pragmatically assess inherent risk of a third-party and the follow-up tasks required.

Send Vendor Questionnaires

Following the inherent risk questionnaire, any vendor classified as having some significant level of inherent risk should receive a comprehensive assessment that allows the team to understand the risk controls they have in place. Automated scoping tools can calculate the breadth and depth of the questions required for each vendor’s assessment.

Questionnaire templates, such as the Shared Assessments’ industry-standard SIG (Standard Information Gathering) survey, are available for teams to easily develop a best-practice questionnaire.

Evaluate Assessments & Remediate Issues

The final step is to evaluate and score assessments in order to identify outliers with issues that require remediation and to set the cadence for ongoing monitoring. Automated tools can instantly analyze vendor responses, flagging areas where they don’t meet your business requirements, and calculate an assessment score. These tools allow small teams to focus on high-value risk activities and outliers with issues that require remediation.

Alongside this, the assessment score helps to determine next steps based on the organization’s risk appetite and internal policies, including a cadence for ongoing monitoring.

Once these processes are in place and running smoothly, small teams will have more bandwidth to expand the program and focus on long-term mitigation strategies.

Making incremental improvements, such as enhancing reporting strategies, incorporating external content into assessments or implementing vendor issue management, can help drive consistency, build confidence with regulators, and improve negotiation power with actionable data about third-party performance.

What’s Hot on Infosecurity Magazine?