What is a Vendor Risk Assessment?
We recently dove into what vendor risk and vendor risk management entails. Once you understand that this is the risk that results from vendors, it’s simple to extend this and establish that vendor risk assessment (VRA), or vendor risk review, is the process of identifying and assessing all of the potential risks associated with vendor operations and products, and how they can potentially affect your organization.
So how do you perform a third party vendor risk assessment?
- First, you determine what are the most plausible effects of uncertain events.
- Once you identify what these consequences are, you need to measure and prioritize them.
There are several types of potential risks, including – but not limited to – reputational risk, compliance and legal risk, strategic risk, cyber risk (such as security breaches), financial risk and operational risk. The only way to mitigate these risks is to perform due diligence and vendor monitoring, based on the vendor risk assessment you conduct.
What is the difference between a supplier, vendor, third party, and service provider?
Many people use these terms interchangeably, but there are occasional differences that you should be aware of before you conduct your vendor risk assessment. Let’s take a look at how these terms are defined:
- A supplier is a person or entity that makes goods and services available to a business or service provider. Suppliers tend to be in the B2B transactional space, and are often the first link in a supply chain.
- A vendor is a person or entity that purchases goods or services from one company or provider, then resells them to others. Vendors deal with the purchase and distribution of goods from manufacturers to consumers, and are seen as the last link in the supply chain.
- A third party is an outside individual or a company tasked with providing products and services to consumers on behalf of your organization. They’re a “third” party because they’re not either the primary provider or customer involved in a commerce relationship.
- A service provider is an organization that (obviously!) provides services to their clients.
Why is vendor risk management important?
To avoid interruption
Your vendor risk management (VRM) program should ensure that your third-party vendors and suppliers, products, and services don’t disrupt your business or cause you serious financial and/or reputational damage. An effective VRM program will guarantee business continuity.
To reduce risk exposure
As your organization outsources parts of its business to vendors, it increases the chances that they have access to confidential intellectual property or sensitive information. This could be internal company data or customer-related information. Your VRM program should help you mitigate risk for a safer business environment. Most companies will require their vendors to address and uphold internal as well as governmental and industry standards.
To outsource expertise
The fact that vendors introduce and increase your risk doesn’t mean you should try to avoid them altogether. One option for your organization is to outsource your vendor risk management. Outsourcing to experts is a good way to go as it ensures you’re in good hands, with your vendor management having up-to-date working knowledge of all best practices.
The vendor risk assessment process
1. Take inventory
The first step is to take inventory of all of the vendors to make sure each and every one is accounted for. There may be several that don’t come to mind immediately, such as a cleaning service your organization works with. Taking inventory allows you to identify the risks you’re exposed to.
2. Determine risk level
Once you have your inventory, you need to measure how much of a risk each of the vendors poses. Some will have access to far more information, while others may not interact with sensitive data at all. Sort them into buckets using a single classification method, objectively, to determine the risk – low, medium or high risk? The process should be disciplined, as the internal risk assessment should be an easily repeatable process.
3. Assess vendors
The next step is to ask the same questions of all of your vendors in their buckets. Your goal is to have an overview of the risk level of each vendor, and your organization will then decide whether or not the risk level is worth going into business or continuing to do business with a particular vendor. Another option to lower risk with a vendor may be to add in more terms, such as contract considerations, increased monitoring or more in-depth due diligence.
Key points in managing vendor risk?
Beyond the process above, here are some tips to ensure your vendor risk assessment is implemented effectively.
Have a risk appetite statement or framework
A risk appetite statement, or framework, is key to managing vendor risk. As Deloitte points out,
“An effective Risk Appetite Framework has been identified as a critical component of an effective risk management and governance framework and a key enabler for organisations wanting to drive performance and empower staff at every level to make timely, risk aware decisions.”
Essentially, a risk appetite statement sets the tone for your risk management. Your organization is far more likely to meet its strategic goals when the risk tolerance is linked to its goals and objectives.
Manage individual product risk
Beyond assessing each vendor, manage risk down to each product – or service – offered, as well.
Set a control framework and assessment standard
Being objective is key here to ensure all vendors are being held to the same standard.
Identify risk types
Use these to determine which types of risk are most and least important to you.
Track key terms
Identify the key terms under which you’re doing business with vendors across all your vendor contracts.
Report on metrics
Once you identify and decide which vendor-related metrics you’ll be focusing on, make sure to report on them consistently. Some options include team productivity, average time between identifying and resolving compliance issues, and budget.
Monitor risks and performance over time
Not only should vendor risk assessment be conducted repeatedly, but you should also track any changes in risk over time to understand if this changes the relationship with your vendor or not.