A Vendor Risk Management Checklist

Vendor risk management is “the discipline of reducing or eliminating the residual risk that businesses and governments face when working with external service providers and IT vendors, and related third parties.”[1] Vendor risk management involves:

• Onboarding and centralizing the management of third parties
• Tiering vendors according to the inherent risk they bring to the business
• Assessing third parties, according to their tiers, against compliance and security standards
• Remediating risks to an acceptable level of residual risk
• Reporting to internal teams and regulatory agencies on progress

The problem with many vendor risk management programs is that much of this activity is handled with manual spreadsheets and emails. This slow and costly approach can lead to errors and perpetuate unnecessary risk. Many companies want to perform this work more efficiently but struggle with identifying the right capabilities to help them get there.

Let’s review five categories of criteria to consider in selecting a solution for automating and accelerating your vendor risk management program.

5 Categories of Criteria for Selecting a Vendor Risk Management Solution

A vendor risk management (VRM) solution should progressively mature your program across five key categories:

1) Manage all your vendors in one place

The first category focuses on taking initial control of your third-party ecosystem. This is where you consider a solution’s abilities to onboard vendors and evaluate their inherent risk. Inherent risk metrics can inform how you tier and categorize vendors. This enables you to assess your vendors according to the risk they present to your business.

2) Get out of spreadsheet jail

A vendor risk management solution should help you get out of “spreadsheet jail.” Automated assessment capabilities will enable your teams to collaborate with vendors and gather information about their security controls. The right VRM solution will greatly reduce the amount of back-and-forth communications throughout the vendor lifecycle.

3) Make smarter decisions

A strong solution will enable you to validate assessment responses against external cyber security scores and business risk intelligence. Ideally, you want a solution that combines risk intelligence from continuous monitoring with vendor assessment data into a single risk register. This delivers more holistic security ratings and facilitates more informed decision-making.

4) Fix what’s important

By complementing assessment data with continuous threat intelligence, you’ll be better positioned to prioritize and remediate third-party risks. To make this happen, you’ll need strong reporting capabilities, as well as automation for triggering remediation workflows.

5) Continuous, intelligent, and automated

In this category, you evaluate a VRM solution’s ability to deliver continuous insights that inform your ongoing risk management initiatives. Ultimately, you want a solution that will help you build a more predictable and proactive third-party vendor risk management program.

Next Steps for Evaluating Vendor Risk Management Solutions

Ready to take the next step in evaluating vendor risk management solutions? Download our RFP toolkit, which includes an evaluation that covers:

• Project scope, goals and outcomes
• KPIs and project timelines
• Solution requirements and use cases
• Detailed vendor response criteria

You’ll also get instant access to a detailed spreadsheet for comparing third-party risk management vendors and automatically scoring the results. Start your evaluation today!

[1] “Magic Quadrant for IT Vendor Risk Management Tools.” Gartner. August 24, 2020. Joanne Spencer and Edward Weinstein.

A Vendor Risk Management Solution Checklist

Use this table to evaluate your current VRM program, compare solution providers, and determine which gaps you need to fill. The table categorizes selection criteria into the five categories discussed above.