Assessing the risk of a potential vendor requires time and due diligence. These assessments are not a place where your organization should be cutting corners and doing haphazard investigation.
Only about 37% of organizations have the ability to manage their vendors and vendor risk appropriately. In the same survey, 22% of respondents admitted that they didn’t even know if they’d had a third-party data breach in the last year. A thorough assessment of your vendors is crucial to maintaining your organization’s financial security and reputation. A thorough assessment could even save you from doing business with irresponsible or even criminal vendors.
What is a Vendor Risk Assessment?
A vendor risk assessment, also known as a third-party risk assessment, is a vetting process that helps organizations choose and monitor vendors. During this vetting process, your organization identifies and evaluates the potential risks of working with any given vendor. Once these risks have been identified, you’ll then weigh the potential risks of the partnership versus the potential rewards of doing business with that vendor. These decisions will weigh differently from organization to organization, based on your company’s mission, policies, procedures, and other factors.
This process tends to be very long and tedious, but failure to carry out a thorough risk assessment could land your organization in hot water. Reputation damage, lost business, legal fees, and fines can all result from doing business with an improperly vetted vendor. For example, if one of your vendors fails to comply with certain regulations, your company will be held liable as well.
The steps outlined below will help your organization assess vendors objectively and thoroughly.
Know the Types of Vendor Risk
This step is one you have to take prior to actually evaluating a vendor. There are several types of vendor risk, and you have to be aware of all the different types of risk you could be facing when doing business with a new vendor.
Types of vendor risk include:
- Strategy Risk: will the vendor steal trade secrets or intellectual property?
- Financial Risk: is the vendor financially stable? Do they have outstanding liens, bankruptcies, etc?
- Compliance Risk: does the vendor follow relevant laws and regulations?
- Geographic Risk: is the vendor located in an unstable area (i.e., an area prone to political unrest, natural disasters, etc)?
- Technical Risk: how stable are the vendor’s IT and data management practices?
- Subsequential Risk: does the vendor use third parties for any of its processes and could these third parties affect your business?
- Resource Risk: does the vendor have the resources and ability to fulfill their contract with you? Can they actually do what you’d be paying them to do?
- Replacement Risk: how easily replaceable is the vendor should they go out of business?
- Operational Risk: does the vendor have any operating policies and procedures that could expose your company to risk?
- Reputational Risk: how could working with this vendor affect your company’s reputation both internally and externally? Would working with this vendor cause reputational damage to your company?
Not all of these categories will apply to every vendor that your organization hopes to do business with.
Determine Risk Criteria
Your risk criteria will depend on what kind of business your organization conducts, what type of business the vendor in question conducts, and how your two organizations will specifically interact. For example, a company that deals with a lot of sensitive information would prioritize data security and privacy when assessing a potential vendor.
You want to make sure to avoid bias when choosing vendors. This is done by evaluating all vendors consistently, regardless of a vendor’s reputation. Your vendor risk assessment should be designed with a set format and scoring criteria and be used for each and every vendor assessment..
Assess Vendor Products and Services
A vendor assessment should actually happen in two parts. The first assessment should be of the entire company. The second assessment should be of whatever individual products or services you intend to purchase from the vendor.
While a company-level assessment vets things like a vendor’s reputation, regulatory compliance, and level of customer service, assessing individual products and services shows you risks inherent to those specific products and services in and of themselves.
For example, if you’re interested in purchasing vendor management software from a company, you’ll want to ask how secure the software is, how fast employees can learn the software, software cost, and the software’s compliance with any relevant laws.
Assessing both the company and the products/services you intend to purchase gives your organization a much more complete picture regarding risk.
Assessing vendor risk takes a very high level of expertise. Your organization should seek insights from staff in other departments of your company. You can also bring in outside experts that have relevant knowledge. Getting insights from people in IT, legal, finance, security, and compliance can help your organization assess potential vendor risk more thoroughly.
Many organizations have a specially designated risk assessment team that consists of individuals from different departments. This team helps ensure consistent, thorough, and timely vendor evaluations.
Assess Every Vendor, Regardless of What They Do
Vendor risk assessments are for all vendors, regardless of what product or service you purchase from them. Assessments should be performed before entering into a contract with any vendor, even if that vendor appears to be low-risk.
Cleaners, catering companies, landscapers, plumbers, florists, and landlords should all be evaluated even if there’s not a formal risk assessment conducted. If a company has access to physical space, files, or data, they should be evaluated as they could pose potential risk to your organization.
Remember the infamous Target breach that happened in 2013? That breach affected nearly 70 million customers and happened via an HVAC service that was contracted at one single Target store. Hackers used stolen credentials from that HVAC vendor to install malware on Target’s network. Ensuring your vendors are using best practices and meet your organization’s standards could save your business money and its reputation.
Organize Vendors by Risk Level
After a vendor has been assessed, you should determine that vendor’s overall risk level. Organizing vendors based on risk level can help you quickly and easily identify vendors to work with and expedite the risk management process.
Based on your criteria, a vendor should be identified as high-, medium-, or low-risk. Next you should give the vendor an impact score. Impact scoring is determined by how important a vendor and their product/service is to the operation of your organization.
Next, you’ll want to assign levels of due diligence for vendors at each risk level. This helps increase efficiency and consistency while eliminating bias.
Make a Risk Management Plan
Simply put, a risk management plan is an outline of how your organization will deal with each type of potential risk posed to it by a third party or vendor. Should something go wrong, your plan will allow you to act quickly to mitigate damage.
This plan should include risk scenarios and specific response tasks, as well as who is responsible for those tasks.
Additionally, your plan should include measures your organization will take in order to reduce risk. For example, your company may regularly monitor vendor compliance through an automated process or include specific contract considerations such as data storage requirements and subcontractor review policies.
When creating a risk management plan, you’ll want to get your designated risk assessment team involved as well. They can provide insight into how to handle risks when they arise, and prevent them from happening.
Stay Up-To-Date on Laws and Regulations
Your company needs to be up-to-date in regards to laws and regulations that affect it. Privacy, environmental, employment, labor, and tax laws change frequently, and it’s your business’ responsibility to comply with any changes.
As your company modifies its policies and procedures to stay compliant, you’ll need to be sure that your vendors are staying compliant as well. Make sure to communicate with your vendors so they understand the expectations your company has in regards to compliance. If a vendor is hesitant or has no intent on remaining compliant with applicable laws and regulations, cut ties with them. That vendor’s unwillingness or inability to remain compliant could negatively impact your organization. In some cases, your organization may even be held liable for breaches in compliance.
Conduct Regular Assessments
Vendor risk assessments need to be done on a regular basis, as vendors grow, shift, and change over time. The problem with initial vendor risk assessments is that they’re a snapshot of the vendor at that specific point in time. The reality is, vendor risk assessments need to be done on an ongoing basis, as emergent issues can arise at any given time. Your organization may choose to do yearly risk assessments for low-risk vendors, while high-risk vendors may require monthly assessment.
Your company will have specific risk assessment requirements, but our vendor risk management app can help your organization monitor legal and financial risks posed by vendors.