Five Keys to Conducting Effective Vendor Risk Assessments
Risk exposure is indiscriminate. Whether you are a large multinational, a non-profit institution, an agency or a small business, your firm has the potential to faces severe fines, penalties or regulatory red tape for failing to understand and comply with applicable regulations. Because of that, tracking your company’s risk exposure isn’t an optional exercise in today’s business environment.
The Five Step Vendor Risk Assessment Process
An effective assessment program requires a systematic approach to vendor risk management. To help you develop that process, here we chronicle five critical steps your firm can take to ensure the assessments you conduct accurately determine the risks of doing business with your third-party partners.
- Catalog vendors. You need to assess your vendors and suppliers and keep ongoing records. This may seem like a given, but you’d be surprised how many companies have a disorganized approach when it comes to hiring third parties. In fact, some don’t have a purchasing strategy at all. In those cases, risk assessment is also rarely considered.
In contrast, well-managed companies have a comprehensive catalog of all their suppliers with information about what services they provide and which departments they serve.
- Expert’s Tip: Maintain a catalog listing of your company’s vendors, and make that listing available throughout your organization. Include criteria such as what the vendor does for your company; how critical they are to your business; where they are located; what data they are handling; and any potential threats they Update this information regularly.
- Profile vendors internally to gauge inherent risk. Develop a preliminary vendor profile by questioning the business unit that engages the vendor. For example, in the case of information security, you’ll want to know where this vendor is located, how mission-critical this vendor’s products or services are, how much confidential information they will be handling, and whether or not they will access your computer network. The vendor profile determines what mitigating controls you will look for as you assess the vendor.
- Expert’s Tip: Categorize your vendors into “buckets” to facilitate further assessment. Hospitals, for example, would have an insurance company bucket, a lab services bucket, a medical equipment supplier bucket, and so on. The vendors in any given bucket can be assessed in a similar fashion because they should have many common risk factors. In this example, the insurance companies would all have access to PHI, requiring their compliance with HIPAA. The providers of medical equipment may need to be queried about conflict minerals in their machines.
- Use a questionnaire for self-assessment. Giving a vendor a questionnaire for self‐assessment is standard practice, particularly for those with a high or medium inherent risk rating. The type and depth of the questions should be guided by the vendor’s “bucket” and their level of inherent risk. Use the questionnaire to probe a vendor’s policies, procedures, and processes to help you determine the company’s residual risk.
Ask for evidence or documentation proving the company’s standards in areas of concern to your business. Evidence might include screenshots that verify computer controls; proof of professional certifications or licenses; SSAE 16, SOC 2, and SOC 3 reports for data centers; policies and procedures; financial reports; and external audit reports.
- Expert’s Tip: Don’t overwhelm vendors with too many items on the questionnaire. If the survey is too long and asks obscure or free-form questions, you are likely to get inaccurate, incomplete, and flippant responses. Use simple, standard, objective questions, or tailor your questions to probe areas of real concern.
- Conduct an on-site audit. Depending on the responses you get on the questionnaire, you may need to dig deeper to understand more about a vendor’s practices. In some cases, you will need to do an on-site audit, which will provide a more in-depth evaluation. On-site audits may be required for certain vendors, where external regulators require a yearly in-person assessment, still, consider expanding that pool to include other mission-critical partners not covered by the regulatory umbrella.
- Expert’s Tip: You can learn a lot about an organization by visiting the site and watching people go about their day. In addition to meeting the client-facing staff, spend 20 minutes with individuals in more technical departments, such as human resources, operations and finance to flesh out potential risk issues. That first-hand access gives you a deeper sense of the organization, including the company culture and practical security measures, all of which will influence your faith in a vendor.
- Engage in a dialog with your vendor. The final stage of your vendor risk assessment process is to assess the data you collected and produce a findings report that you review with the vendor. Whether you employ a single risk analyst, or a team of legal, procurement and business unit talent, have your experts review the information you’ve gathered and compare your vendor responses against your company’s acceptable risk tolerance.The analyst should produce a findings report identifying any potential issues to discuss with your vendors and the steps required to mitigate that risk. This process isn’t about slashing and burning your vendor relationships, but rather, about developing a dialog with your vendors to surface your concerns and provide them an opportunity to address them.
- Expert’s Tip: Pay attention to the unspoken signals from your vendor as well as what you read in their self-assessment. In particular, look for the vendor’s tone and responsiveness to your inquiries, as well as what the vendor doesn’t say. If the vendor doesn’t seem to want to work to keep your business, you need to determine whether you wish to continue the relationship. You have all the leverage in this discussion.
At the end of the day, it’s impossible to eliminate 100% of your risk exposure. Instead, the goal for your organization is to develop an efficient, effective approach to understand your potential risk, and minimize existing risk as best you can.
For additional expert recommendations and techniques to identify and assess third-party risk, download our full whitepaper, Identifying Vendor Risk: The Critical First Step in Creating an Effective Vendor Risk Management Program.