Top 10 Data Sources for Better Vendor Risk & Performance Monitoring

BLOG 4 MINS June 10, 2020
Top 10 Data Sources for Better Vendor Risk & Performance Monitoring

For many organizations, vendor risk management (VRM) is a priority when selecting a vendor or finalizing a contract. However, a vendor’s risk and performance changes over time. This creates the need for continuous vendor monitoring which helps an organization take a risk-based approach to vendor relationships.

So, what data sources can you monitor to maintain ongoing vendor oversight? We’ve outlined the top data sources used in practice to help you.

What Data Sources Can You Monitor for Better Vendor Risk & Performance Monitoring?

1. Vendor Data Breaches: Register for a data breach alert newsletter (such as Data Breach Today) or set up Google alerts for each of your vendors, so you are notified in the event of a breach.

2. Regulatory Enforcement Actions: Identify the regulations you are subject to (OFAC Sanctions List, Modern Slavery, GDPR, HIPAA, etc.) and subscribe to receive alerts when an enforcement action occurs.

3. Regulation, Standard, and Framework Changes: Look beyond regulatory enforcement actions and monitor the actual laws, standards, and frameworks themselves. Requirements continually evolve over the years, making it difficult to maintain an up-to-date VRM program.

Note: OneTrust Vendorpedia integrates with OneTrust DataGuidance™ enabling you to track your vendor ecosystem for any data breaches and regulatory enforcement actions. With 40 in-house researchers, OneTrust DataGuidance also monitors hundreds of regulations, standards, and frameworks around the world.

4. Security & Privacy Certifications: Implement a Cyber Risk Exchange tool which monitors the security and privacy certifications (PCI DSS, ISO 27001, SOC 2, FedRAMP, CMMC, PrivacyShield, etc.) of vendors and notifies you when a certification expires.

5. Security Rating Services: Leverage a security rating service, such as BitSight Security Ratings, which monitors a vendor’s cybersecurity performance over time.

Note: OneTrust Vendorpedia integrates with BitSight to help take automated mitigation actions when a vendor’s security rating drops below a certain threshold. Learn more about the Vendorpedia + BitSight integration.

6. Financial Viability Ratings: Utilize tools like Dun & Bradstreet or Rapid Ratings which provide forward looking and actionable insight into the financial stability of vendors. Or, conduct a financial viability assessment to ensure business resiliency and continuity.

7. Data Analytics Tools: Dun & Bradstreet and others offer additional tools that monitor different data points, such as compliance or ethical concerns. Integrate these tools into a VRM platform to monitor changes and take action as necessary.

8. Market Disruption: Proactively prepare for crises (global pandemics, employee strikes, geopolitical issues, etc.) by creating an integrated view of risk (ethical risk, financial viability, business continuity) across all domains of a vendor to ensure business resilience in the event of disruption. Because every organization is different, different market disruption events may not affect you. However, it’s beneficial to understand what events could affect you, and then monitor for those events accordingly.

9. Updates to Standards-Based Assessments: Many vendors complete and share standards-based assessments, such as the CSA CAIQ and SIG Lite, into our Cyber Risk Exchange. When a vendor’s answers change, you should know about it. This turns static assessments into ever-evolving dynamic questionnaires.

10. Performance Against SLAs: Subscribe to your vendor’s uptime and support pages to monitor performace against your service-level agreements (SLAs).

Don’t Just Monitor, Take Action When Events Occur

Continued monitoring of the above categories is no small task. This is where AI, machine learning, predictive intelligence, and robotic automation capabilities can help. In leveraging automation, organizations can maximize efficiency, discover and classify data, flag risk, and suggest remediation action based on the context of that data, as well as program improvements to simplify compliance.

Through the use of robotic process automation (RPA), organizations can eliminate repetitive actions, such as sending vendor assessments, updating risk scores, notifying key stakeholders, and kicking off complex workflows when critical vendor changes occur.

Need Help Monitoring Vendor Performance and Risks?

Say hello to OneTrust Athena™. Athena adds AI, machine learning, predictive intelligence, and robotic automation capabilities to the OneTrust platform to enhance your third-party risk and compliance program. Athena draws on the OneTrust DataGuidancebreach and regulatory enforcement tracker, an indexed list of all breaches and enforcements across the globe, to alert you when vendor risks arise. Athena is also plugged into your existing systems and the Cyber Risk Exchange, so when vendor details change, you can take action.

Interested in learning more about OneTrust Vendorpedia’s monitoring capabilities? Request a demo to learn more!

Onetrust All Rights Reserved