Vendor risk assessments are a critical component of third-party risk management programs. When you use third-party solutions and services, you should understand the risks they can bring.
Your vendors’ risks are your own. These risks may relate to cybersecurity, compliance, operations, finance, or reputation. Conducting assessments can help you to reveal and remediate these risks throughout the vendor lifecycle.
Vendor risk assessments let your organization proactively identify and mitigate third-party risks to be better prepared when incidents do occur. Well-managed assessments strengthen vendor relationships, demonstrate proper due diligence to regulators, and shed light on best-practice security controls.
In this Article
- Qu'est-ce qu'une évaluation des risques liés aux fournisseurs ?
- Why Vendor Risk Assessments Matter
- What Are the Different Types of Vendor Risk?
- How Do You Score Vendor Risk?
- How to Conduct a Vendor Risk Assessment: Step-by-Step
- Comment mettre en place un programme d'évaluation des risques liés aux fournisseurs
- Prochaines étapes
- Questions fréquemment posées
Qu'est-ce qu'une évaluation des risques liés aux fournisseurs ?
A vendor risk assessment is a process companies use to evaluate potential risks when working with third parties such as vendors, suppliers, contractors, or other business partners. It involves assessing risks during different stages of the vendor lifecycle, from sourcing and selection to offboarding and termination.
Les évaluations comprennent généralement la collecte d'informations sur la sécurité, les contrôles de confidentialité, les données financières et opérationnelles et les politiques du fournisseur, souvent au moyen de questionnaires. Les risques identifiés sont ensuite classés en fonction de leur gravité, de leur probabilité et d'autres facteurs. Les résultats sont souvent mis en correspondance avec les exigences réglementaires, les normes de conformité et les cadres de sécurité, tels que l'ISO et le NIST.
Les évaluations des risques liés aux fournisseurs examinent divers facteurs au cours des différentes étapes du cycle de vie de la gestion des fournisseurs, notamment :
- During onboarding, as due diligence to gauge inherent risk before granting access to critical systems and data
- De manière périodique, pour vérifier les accords de niveau de service (SLA), évaluer le respect des contrats ou satisfaire aux exigences d'audit.
- Lors du départ d'un employé, veillez à ce que son accès au système soit supprimé et que les données aient été protégées ou détruites conformément à la réglementation.
- Lors de la réponse à un incident, afin de déterminer la portée et l'impact potentiels des violations de sécurité.
Why Vendor Risk Assessments Matter
Third-party incidents don’t stay third-party for long. Supply chain disruptions, ransomware attacks, and vendor failures have repeatedly translated into operational breakdowns, regulatory scrutiny, and financial losses for the organizations downstream. Organizations with mature third-party risk management programs are consistently better positioned to contain the damage, not because they prevent every incident, but because they’ve already mapped the exposure.
Implementing third-party risk assessment workflows that focus on operational risks, business continuity, and security risks enables your organization to streamline procurement processes, improve supply chain resilience, and satisfy compliance audits. What’s more, the cost to build and maintain a strategic third-party assessment practice is far less than the potential damage high-risk vendors can cause.
What Are the Different Types of Vendor Risk?
There are three primary types of risk when dealing with third parties: profiled risk, inherent risk, and residual risk. Here is a brief breakdown of the three:
- Profiled Risk relates directly to the vendor’s relationship with your organization. Certain vendors pose more risks. For example, a credit card processing company likely poses more risk to your organization than a digital advertising agency. Organizations with a higher level of profiled risk require extra scrutiny during vendor selection.
- Inherent Risks refer to risks that the vendor poses due to its own information security, operational, financial, and other business practices prior to implementing any controls required by your organization. Determining a potential vendor’s inherent risk score requires a combination of detailed vendor assessment questionnaires and external threat monitoring.
- Residual Risk is the level of leftover risk once the organization in question has implemented your organization’s mandatory controls. Residual risk can never be eliminated, but it can be brought to a level that the organization deems acceptable.
How Do You Score Vendor Risk?
The basic calculation for scoring vendor risk is Likelihood x Impact = Risk. For example, let’s say a hospital vendor is processing large amounts of protected health information (PHI) but does not comply with HIPAA. Under HIPAA, this vendor would be classified as a business associate and fall under the same regulatory scrutiny as the healthcare provider.
In this case, the impact is a large fine to both the healthcare provider and the business associate (major or severe), and the likelihood that regulators will discover the non-compliance is high, making this an unacceptable risk for any healthcare organization.
L'exemple ci-dessus souligne l'importance de mener des évaluations approfondies des risques liés aux fournisseurs. Cela est encore plus important pour les organisations qui traitent de grandes quantités de données sensibles, telles que les prestataires de services gouvernementaux et les prestataires de soins de santé. Dans de nombreux cas, des réglementations telles que la loi HIPAA tiendront l'organisation principale responsable de la non-conformité des fournisseurs.
How to Conduct a Vendor Risk Assessment: Step-by-Step
-
Assemble Internal Stakeholders
The most successful vendor risk assessment programs are cross-functional. Stakeholders across the organization bring different priorities to the process, and all of them matter:
Rôle Exemples de priorités Gestion des risques Harmonisation des évaluations des fournisseurs avec les initiatives plus larges de gestion des risques organisationnels et intégration des données sur les risques liés aux tiers dans les plateformes GRC. Approvisionnement et sourcing Rechercher des fournisseurs à faible risque, effectuer des vérifications préalables à la signature du contrat, évaluer les performances des fournisseurs et veiller au respect des obligations contractuelles. Sécurité et informatique Identifier, analyser et remédier aux risques liés à la cybersécurité associés aux tiers. Audit et conformité Comprendre et signaler les risques liés aux fournisseurs dans le contexte des réglementations gouvernementales et des cadres réglementaires sectoriels. Confidentialité des données Identifier les fournisseurs qui traitent des données à caractère privé, réaliser des évaluations d'impact sur la vie privée et établir des rapports sur le respect des exigences en matière de confidentialité. Assembling a cross-functional team to plan and guide your assessment program will help to ensure its organizational adoption and long-term success.
-
Définissez votre niveau acceptable de risque résiduel
In a perfect world, risk could be eliminated entirely. Unfortunately, when working with any third party, there will always be some element of risk. Before assessing potential vendors for a project, you need to define what level of risk is acceptable. This can make vendor selection and the entire third-party risk management process faster, more efficient, and more uniform.
This enables you to easily identify vendors that clearly won’t meet your business objectives and risk tolerance. In addition, it can help clarify which controls you need to require of vendors before working with them.
-
Build Your Vendor Risk Assessment Process
Mettez en place un processus avec des contrôles et des exigences standardisés. Cependant, il n'existe pas d'approche unique en matière d'évaluation des risques liés aux fournisseurs. Les différents fournisseurs présentent des niveaux de risque variables pour votre organisation, en fonction de facteurs tels que :
- Leur importance pour votre chaîne d'approvisionnement, en particulier s'il s'agit d'un fournisseur unique ou exclusif.
- Leur accès à des données sensibles, telles que les informations personnelles identifiables (PII), les informations médicales protégées (PHI) ou les informations commercialement sensibles (CSI).
- Leur vulnérabilité aux perturbations, telles que les catastrophes naturelles ou les conflits géopolitiques.
Begin with an internal profiling and tiering assessment to categorize your vendors and determine the type, scope, and frequency of assessment needed for each group. For instance, vendors critical to your business and with high-risk potential (e.g., accounting firms or sole-source suppliers) require more thorough due diligence than those with lower-risk profiles (e.g., advertising firms).
Disposer d'un processus structuré pour chaque catégorie de fournisseurs rend votre programme de gestion des risques tiers plus efficace et vous aide à prendre de meilleures décisions fondées sur les risques concernant vos relations avec vos fournisseurs.
-
Send Vendor Risk Assessment Questionnaires
L'étape suivante consiste à sélectionner et à envoyer des questionnaires d'évaluation des risques à chaque fournisseur ou catégorie de fournisseurs. Les questionnaires constituent une approche basée sur la confiance pour recueillir des informations sur les contrôles internes de chaque fournisseur. Ils peuvent couvrir divers sujets, notamment les pratiques en matière de sécurité de l'information, les exigences de conformité, la stabilité financière et les données relatives aux fournisseurs de quatrième et n-ième rang.
Selecting a questionnaire: One of the biggest choices companies face when selecting questionnaires for their primary risk assessments is whether to use an industry-standard questionnaire, such as the Standard Information Gathering (SIG) questionnaire, or a proprietary questionnaire.
In some cases, your third parties may already have an information security certification, such as CMMC or SOC 2. You may accept these certifications instead of requiring an assessment response or supplement them with proprietary and/or ad-hoc assessments to gather information about specific controls or potential risks outside of cybersecurity.
Choosing a framework: Many organizations choose to employ frameworks when designing their vendor assessment questionnaires, such as the NIST Cybersecurity Framework, ISO 27001, and NIST 800-30, to ensure that questionnaires are standard across the supply chain and reflect best practices.
If you require your suppliers to be compliant with specific regulations such as the GDPR or PCI DSS, it may be worth incorporating questions around those standards directly into your vendor risk management program.
-
Complement Assessments with Continuous Risk Monitoring
Cybersecurity vulnerabilities, supply chain challenges, and compliance requirements evolve continuously. Therefore, be sure to conduct continuous risk monitoring to catch any cyber, business, or reputational risks that arise between your periodic vendor assessments. You can also use risk data to verify that a third party’s assessment responses are consistent with their real-world business activities.
Vendor data breaches, exposed credentials, and other cyber risks: Third-party data breaches, ransomware attacks, and other cyber incidents are constant and pervasive threats to organizations today. Therefore, conducting external monitoring of cybersecurity risks across your vendor ecosystem is critical.
Key risks to look out for include:
- exposition des identifiants
- violations de données et incidents confirmés
- mauvaise configuration et vulnérabilités des applications web
- typosquatting et autres menaces pour les marques
Supplier finances, business practices and reputation: While third-party breaches and cybersecurity incidents tend to monopolize the headlines, a supplier’s financial failure, operational disruptions, or bad press can have serious implications for your business. These “non-IT” risks also extend to environmental, social, and governance (ESG) challenges, like modern slavery, bribery/corruption, and consumer protection issues.
Recherchez les actualités, les informations financières et les relations avec des tiers qui pourraient signaler des problèmes. Examinez les pratiques commerciales des fournisseurs, l'approvisionnement en matières premières et d'autres processus commerciaux clés qui pourraient poser des problèmes de réputation ou d'éthique à votre entreprise. Demandez également des références de clients et de partenaires qui utilisent les produits et services du tiers. Discutez avec ces références afin d'obtenir des informations supplémentaires sur la capacité du tiers à respecter les accords de niveau de service (SLA) et autres obligations contractuelles.
Selecting a Monitoring Strategy: From open-source intelligence to public websites, there is no shortage of places to find intelligence on your third parties. However, building a comprehensive and efficient monitoring program from scratch can be difficult. Many companies leverage automated vendor threat monitoring software for risk identification and scoring.
-
Categorize and Remediate Risks
Les risques peuvent être classés comme acceptables ou inacceptables. Les risques inacceptables doivent être corrigés avant de travailler avec le fournisseur. La correction des risques liés aux tiers peut prendre différentes formes. Une organisation peut choisir de demander à un fournisseur potentiel d'obtenir une certification de sécurité telle que SOC 2, de mettre fin à ses relations avec des fournisseurs de quatrième et n-ième rang, ou de modifier ses pratiques commerciales susceptibles de perturber la chaîne d'approvisionnement ou d'autres processus.
In addition, organizations should have a third-party incident response strategy in the event that a vendor suffers a data breach or other disruption. Having a defined strategy for dealing with risks that materialize can dramatically cut down on the time it takes to mount an effective response and reduce disruption to your organization.
Comment mettre en place un programme d'évaluation des risques liés aux fournisseurs
Une erreur que commettent de nombreuses entreprises lorsqu'elles lancent un programme d'évaluation est de s'appuyer sur les e-mails et les feuilles de calcul pour accomplir cette tâche. À moins que vous ne travailliez qu'avec une poignée de fournisseurs, cette approche manuelle des évaluations peut être un cauchemar pour les auditeurs et les fournisseurs, tout en fournissant peu de données utiles.
If you’re looking to launch an assessment program, a great place to start is by subscribing to a vendor intelligence network, which offers access to a library of vendor risk reports based on standardized assessment data. Then, for increased customization and control, consider an automated vendor risk assessment solution that enables you to conduct and manage your assessment initiatives. Or, if you prefer a more hands-off approach, a managed service provider can conduct assessments on your behalf.
Questions fréquemment posées
What is a vendor risk assessment?
A vendor risk assessment is the process of evaluating the risks a third-party vendor poses across cybersecurity, financial, operational, and compliance dimensions. It is conducted at multiple points in the vendor lifecycle, not just at onboarding.
What is the difference between a vendor risk assessment and vendor due diligence?
Vendor due diligence is a one-time pre-contract evaluation. A vendor risk assessment is an ongoing process conducted at multiple stages of the vendor lifecycle. Due diligence establishes a baseline; vendor risk assessment maintains it.
How often should vendor risk assessments be conducted?
Critical and high-risk vendors should be assessed annually or after significant incidents. Medium-risk vendors typically require reassessment every one to two years, and low-risk vendors every two to three years or at contract renewal. Continuous monitoring supplements all periodic assessments.
What is a vendor risk assessment template?
A vendor risk assessment template is a standardized document for evaluating third-party risks consistently across all vendors. It typically includes sections for vendor information, risk categories, scoring criteria, and remediation tracking. Download Mitratech’s vendor risk assessment template to get started.
Ready to scale your vendor risk assessment program?
Learn how Mitratech can help
Planifier une démonstrationEditor’s Note: This post was originally published on Prevalent.net. In October 2024, Mitratech acquired the AI-enabled third-party risk management, Prevalent. The content has since been updated to include information aligned with our product offerings, regulatory changes, and compliance.

