Vendor Risk Assessments: 7 Best Practices

BLOG 7 MINS December 18, 2020
Vendor Risk Assessments: 7 Best Practices

Conducting vendor risk assessments is one of the most critical aspects of any successful VRM program. However, performing vendor risk assessments comes with numerous challenges, including:

  • Choosing the right vendor risk assessment standard
  • Reviewing and analyzing identified risks
  • Knowing which vendors to assess first
  • Getting your vendors to respond to your assessment
  • Monitoring and reassessing vendor risks over time

In this post, we’ll outline 7 vendor risk assessment best practices to help you overcome the challenges listed above.

1. Understand Your Assessment Options

There are many vendor risk assessment standards and frameworks to consider – some more common than others. In practice, we see the following questionnaires used most frequently:

Every organization has different requirements. These requirements often dictate the assessment standard and framework that is right for them. Contributing factors in the decision-making process include:

  • Industry
  • Jurisdiction
  • Security
  • Industry Organizations
  • Privacy Laws
  • Regulatory Influences
  • Data or Business Process Involved

While industry-standard assessments are increasingly popular, many organizations use standards only as a starting point. Considering the factors above, assessments are often customized with unique questions specific to the organization.

To help determine the right assessment for your organization, it’s important to also understand what vendors expect from security questionnaires.

2. Determine How You Measure Risks

Put simply, the objective of vendor risk assessments is to identify risks. However, the measurement of risks is dependent on the organization itself – there is no one-size-fits-all risk scoring methodology.

For example, if a vendor is missing a specific security control, that vendor may be considered high risk for one organization, while considered low risk for another.

Risk scoring is typically adapted to the organization’s needs and done in one of three ways:

  • Simple scoring: High, medium, low
  • Risk matrix: 4×4 (or 5×5) matrix with impact and probability as the X and Y axis
  • Risk formulas: Equations that can weight certain risks as more critical than another

Organizations often like to categorize risks, as some risks may be considered more important than others. The most common risk categories are:

  • Cybersecurity
  • Privacy
  • Reputational
  • Geographical
  • Geopolitical
  • Strategic
  • Financial
  • Operational
  • Regulatory
  • Business Continuity

3. Prioritize Vendors by Calculating Inherent Risks

Not all vendors are created equal. With dozens, hundreds, sometimes thousands of vendors, organizations need to prioritize which vendors to assess first. To do so, many third-party risk teams leverage inherent risks to categorize vendors into three tiers.

  • Tier 3: Low risk, low criticality
  • Tier 2: Medium risk, medium criticality
  • Tier 1: High risk, high criticality

Third-party risk management software can offer inherent risk insights out of the box to help you prioritize. To calculate these inherent risks, organizations often consider if the vendor is:

  • Sharing proprietary or confidential business information with the vendor
  • Sharing personal data with the vendor
  • Sharing sensitive personal data with the vendor
  • Sharing personal data across borders
  • Serving a critical business function

Further, inherent risks usually take into account additional considerations, such as:

  • Potential effect of unauthorized disclosure of information
  • Potential effect of unauthorized modification or destruction of information
  • Potential effect to disruption of access to or use vendor/information
  • Contract value of the third party

4. Make Vendor Risk Assessments Smart

Reviewing vendor risk assessments takes time, especially if the assessment is conducted via a spreadsheet. To reduce the time spent in the review stage, organizations should look to embed their vendor risk assessments with automated risk and control flagging. This functionality will help pinpoint risks and identify the lack of critical security controls.

So, instead of manually applying risks, smart assessments flag as soon as the vendor responds. As mentioned above (in tip #2), consider how you measure risk internally, and embed that methodology into the assessment itself.

5. Make Assessment Response Easy for Your Vendors

One of the most time-consuming portions of the risk assessment process is simply getting the vendor to answer the questionnaire. To get responses faster, consider prioritizing the vendor experience.

Providing free technologies to your vendors, such as Questionnaire Response Automation, can help your vendors automatically answer your incoming assessments. Further, Third-Party Risk Exchanges can simplify the assessment process for you and your vendors.

Here’s how the exchange it works:

  • Vendors complete a standard-based assessment
  • Vendors make the assessment available to the exchange community
  • Exchange customers request access to the assessment
  • Vendors confirm the request, review their answers, and make necessary updates
  • Vendors securely share the assessment without having to start from scratch

6. Track Key Metrics

Many successful vendor risk assessment programs leverage reporting to identify blockers in their processes. In practice, the metrics we see most third-party risk management programs tracking include:

  • Status on all vendor risk assessments (ex. under review, with vendor, approved, etc.)
  • Number of assessments outstanding
  • Vendors sorted by risk level
  • Upcoming contract expirations
  • Average assessment completion time
  • Vendor risks by stage within the risk mitigation workflow
  • Risks to parent organization and risks to subsidiaries
  • Risk history over time

7. Monitor Vendors for Reassessment

A vendor risk assessment is traditionally thought of as a “moment-in-time” review of risks. However, there is a reason that third-party risk management is sometimes called third-party relationship management.

Vendors’ risks change over time. The exchange method (as mentioned in tip #5) can help create “evergreen assessments” that are routinely updated by the vendor. Vendors simply make changes to their assessments and push those changes out to specified organizations. In addition to evergreen assessments, many organizations monitor critical data sources, which you can read more about here.

In some cases, vendors may require a targeted reassessment when certain risks arise. These risk-changing events may require their own unique assessment and include:

  • Mergers, acquisitions, or divestitures
  • Internal process changes
  • Negative news or unethical behavior
  • Natural disasters and other business continuity triggering events
  • Product releases
  • Contract changes
  • Industry or regulatory developments
  • Financial viability or cash flow
  • Employee reduction

Join the Third-Party Risk Exchange Community

If you’d like to streamline your assessment process further, while still incorporating all the best practices above, leverage our Third-Party Risk Exchange to get access to a community of pre-completed vendor risk assessments.

Interested in learning more, watch the demo video today!

Onetrust All Rights Reserved