Are Your Suppliers Putting You at Risk? 3 Areas to Mitigate Third-Party Risk

3 minute read

April 2022

Global events, such as the Ukraine-Russia conflict, are driving increased risk levels in nearly every organization’s supply chain. Often, companies fail to take action on this risk until it’s too late – a third-party breach has occurred, and their data is long gone, or a critical supplier experiences a service interruption, and the organization has no backup. As a result, organizations scramble to maintain resiliency with a reactive approach, but it’s typically too little, too late.

The best protection against third-party risk is to get it right from the start. You can develop third-party risk management best practices to navigate today’s minefield of risk no matter your organization’s resources. This blog will cover three key areas to take a proactive approach to third-party risk, along with expert advice on how to get it right.

Vendor Risk Management

It goes without saying that third-party risk management is a critical function of any organization. Creating a strong foundation with standardized processes for every stage of the vendor lifecycle will help you gain more insight into the health of your vendor population.

The foundational steps to the vendor risk management process include:

  • STEP 1: Identify your vendors and establish an inventory
  • STEP 2: Define your company’s risk appetite
  • STEP 3: Determine inherent risk & classifications
  • STEP 4: Establish assessment questionnaires
  • STEP 5: Create an assessment schedule
  • STEP 6: Define who owns the process
  • STEP 7: Outline a contingency plan should an issue arise

Work with your team to develop complete, repeatable processes for each stage. With an end-to-end process in place for the VRM lifecycle, you’ll be able to mitigate your third-party risks proactively.

Ongoing Vendor Monitoring

Possibly the most crucial aspect of the third-party risk lifecycle is ongoing vendor monitoring. This stage is also the longest and most tedious, as it takes place throughout the relationship.

The objective of ongoing monitoring is to verify your vendor’s security routinely. It will help you ensure reliability, integrity and security throughout your vendor population.

Key risk areas to monitor for changes include:

  • Mergers and acquisitions
  • Negative news
  • Business continuity events (natural disasters)
  • Regulatory changes
  • Financial Health
  • Cybersecurity ratings
  • Business process changes
  • Sustainability (ESG)

It’s important to remember that you don’t need to monitor these areas at the same depth and frequency for every vendor. To make the process more efficient for both your team and your vendors, assign vendors to criticality tiers and assess accordingly. For example, a vendor in the ‘high risk’ tier should be assessed more frequently and deeply than a vendor in the ‘low risk’ tier.


Cybersecurity risk is now one of the biggest risks organizations face – both directly and indirectly through their vendors. Hacking groups are more frequently targeting an organization’s third parties as a ‘back door’ to their harder-to-breach systems. This threat was most recently demonstrated in the Lapsus$ hacks, which exposed hundreds of customers’ data through third-party applications.

There are a few cybersecurity risk areas organizations should evaluate with their third parties to gain better visibility into their policies, procedures and controls:

  • Compliance Risks: Depending on your third party’s service type or location, they are likely to have different compliance requirements than your organization. Get familiar with the regulations and standards applicable to your third parties, then understand the steps to compliance.
  • Operational Risks: Your organization might rely on third parties to provide a service essential to your day-to-day operations or IT infrastructure. Understand the controls third parties have in place for safely operating with these aspects of your organization. Verify that the third party has adequate controls for addressing vulnerabilities in their own IT infrastructure.
  • Information Security Risks: Whether they’re handling your organization’s sensitive data or their own, third parties must have controls in place for data protection. Understand the complete lifecycle of your highly sensitive data within your third parties. Clarify how long your third parties maintain this data and ensure that they are contractually obligated to destroy it after your business relationship concludes.

Think of cybersecurity as a collaboration point between your organization and its vendors. Utilize ongoing vendor monitoring to foster communication around cyber risk throughout the relationship.

Your suppliers’ risk is your risk, so you can’t take a back seat while managing it. Read this ProcessUnity white paper, “Key Metrics to Optimize Your Third-Party Risk Management Program,” to learn more about third-party risk and how to stay on top of it.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit