Identifying Vendor Risk: Spotting Red Flags In Your Vendor Risk Assessments

BLOG 4 MINS December 11, 2020
Identifying Vendor Risk: Spotting Red Flags In Your Assessments

For individuals managing vendor risk, there is one primary question that needs answering: Are your vendors safe to do business with? Answering that question is not so straightforward. However, a solution exists with vendor risk assessments.

Below, we outline the red flags to look for in a vendor when reviewing a vendor risk assessment.

Watch the webinar: Identifying Risky Vendors: 7 Warning Signs You Shouldn’t Ignore

Vendor Risk Red Flags

1. Use Assessments to Identify Business Resilience Concerns

According to TechTarget, “Business resilience is the ability to adapt to disruptions and maintain continuous business operations while safeguarding people, assets, and overall brand equity.” There are a variety of business resilience considerations to assess for; including: supply chain stability, natural disaster response, civil unrest considerations, data breaches and more.

To combat these business resilience concerns, assessors can identify a vendor’s critical infrastructure, calculate their business impact, proactively design plans for risk mitigation, and ultimately test and execute the response to an incident.

2. Leverage Assessments to Better Understand Data Transfers

In Schrems II, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield as a lawful mechanism for transferring personal data from the EU/EEA to the U.S. In addition, the CJEU judgment requires that a data exporter (e.g., a controller) relying on a transfer tool under Article 46 of the General Data Protection Regulation (e.g., standard contractual clauses or binding corporate rules) to conduct a case-by-case analysis of the circumstances of the transfer, including whether the third country (i.e., the destination country) provides an essentially equivalent level of data protection as that guaranteed in the EU/EEA and, where necessary, to implement supplementary measures to ensure such protection.

When distributing a vendor risk assessment to a third party (i.e., a data importer, such as a processor), assessors must ensure that the transferred personal data is afforded an essentially equivalent level of protection in the third party’s own country. Through your assessment, you can better understand the circumstances of the personal data transfer, including the adequacy of data protection in the third country and the existence of any onward transfers, in order to evaluate and ensure the lawfulness of the transfer.

3. Use Assessments to Pinpoint Critical Risks Beyond Cybersecurity & Privacy

Assessing the types of risk that a vendor poses is imperative to determining their business impact. This goes beyond privacy and security and dives into other critical areas – like financial impact, operational enterprise risk, reputational risk, and environmental impact.

When assessing and categorizing vendors in an intelligent way, the business can filter through risks and understand how to best oversee risk remediation and control implementation.

4. Gather Information About nth Parties with Your Assessments

Knowing where businesses’ data goes from their third-party vendors to fourth and fifth parties (nth parties) is essential to good risk management and data governance operations. When conducting a vendor risk assessment, be sure your vendors have the correct contractual protections in place with their own vendors.

Ask yourself: Is your vendor able to provide visibility into these nth parties, so that you can understand where your data goes? If a vendor is not able to, then you have a ‘red flag’ on your hands.

5. Use Your Assessment as a Barometer for Non-Participating Vendors

Another thing to keep an eye out for when assessing a new vendor is how easy they are to work with. Depending on the vendor’s size, they make not have the time or resources to satisfy your vendor risk assessment requirements. This could negatively impact your team if you need to onboard a vendor quickly.

These are just a few of the ‘red flags’ to look out for when conducting a vendor risk assessment.

Want access to thousands of completed vendor risk assessments? Learn how the OneTrust Vendorpedia Third-Party Risk Exchange can help you determine whether you vendors are safe to do business with.

Further reading:

Next steps:

Onetrust All Rights Reserved