Latest Trend: A Community-Driven Approach to Vendor Risk Assessments

BLOG 2 MINS | June 10, 2020
The Latest VRM Trend: A Community-Driven Approach to Vendor Risk Assessments

“There has to be a better way.” If you are conducting (or responding to) vendor risk assessments, odds are good that you’ve heard that phrase more than once. With hundreds or thousands of vendors, the ability to scale the assessment process using spreadsheets and email becomes unmanageable.  In helping companies streamline their vendor risk management (VRM) programs, we’ve created a community that’s building a “better way” together. In this post, we’ll outline the benefits of that community (70,000+ participating vendors and growing): The Vendorpedia Third-Party Risk Exchange.

What is a Third-Party Risk Exchange?

An exchange is very similar to a marketplace. Vendors and the companies assessing them work together to facilitate the simple exchange of vendor risk assessments, as well as other security and privacy information.

How Does the Third-Party Risk Exchange Community Work?

Vendors make pre-completed and validated assessments available (with permission) through the exchange. Once a vendor undergoes an assessment, they can share it with any other companies that want the same assessment. This ensures vendors responding to assessments never start from scratch, while making the process faster for those doing the assessing.

Why Should I Participate in the Third-Party Risk Exchange Community?

1. Benefit from the Work of Others

Like any community, the sum is greater than the individual. With a Third-Party Risk Exchange, companies benefit from the assessment efforts of others. When an assessment is completed and validated, that information is made accessible through the exchange for others to request access to in the future.

2. Access to Dedicated Exchange Agents

Agents facilitate the assessment process between you and the vendor you are assessing. Instead of spending time managing the back and forth, exchange agents will provide that support on your behalf.

3. Use Existing Assessments to Answer Custom Questionnaires

If you’re a vendor, it’s likely that you’ve already completed a standard-based assessment whether it be SIG, SIG Lite, ISO 27001, ISO 27701, NIST 800-53, or CSA CAIQ. But many companies choose to use custom assessments. Through a risk exchange, vendors can use answers from standard-based assessments to “autocomplete” custom assessments by mapping questions through natural language processing.

4. Bring the Right People Together in One Place

One of the biggest challenges of completing vendor risk assessments is actually identifying the right people to contact. Through a risk exchange, those responsible for sending and responding to assessments can meet in a single place.

5. Leverage Other Information Beyond Assessments

Sometimes, a detailed assessment isn’t necessary. There are cases when a SOC 2 report or evidence of a security and privacy certification is sufficient enough in place of an assessment. Through a risk exchange, vendors can not only share assessments, but also, they can share information about their security and privacy programs.

Together, companies and the vendors they assess can work together to collectively make the vendor risk assessment process better for all involved. Want to see how? Request a demo of the Vendorpedia Third-Party Risk Exchange today.

Further risk exchange reading:

Next steps for implementing a risk exchange:

Recommended Resources

Onetrust All Rights Reserved