5 Best Practices for Vendor Risk Management

Follow these 5 steps to take your vendor risk management program from static spreadsheets to real-time automation.
By:
Scott Lang
,
VP, Product Marketing
July 29, 2020
Share:
White paper buyers guide 2019

Being in "reactive mode" is exhausting, inefficient, and stressful – and it's especially risky when your workload gets heavy. Vendor risk management (VRM) is no different: Having a reactive VRM program that responds to vendor risk, instead of controlling vendor risk, puts your organization in jeopardy of data breaches, privacy violations, and regulatory compliance infractions.

That’s why it's important to have a clear process for proactively managing the cyber risks and business continuity exposures that inevitably crop up throughout the vendor relationship lifecycle.

In our 15+ years working with thousands of customers and vendors, we've developed 5 best practices for achieving a more proactive vendor risk management process. Download the best practices guide to discover:

  • Guidelines for each step, including tips for vendor risk program success and traps to avoid
  • A proven strategy for benchmarking your VRM program's maturity level
  • A checklist of key vendor risk management product features and service levels to look for

By following these steps you'll not only reduce risk for your organization, but also strengthen your third-party relationships.

Here's a sneak peek at how the 5 steps can take the pain out of vendor risk management:

Best Practices for Vendor Risk Management

Step 1: Onboard, Score and Manage Your Vendors in One Place

You need to make several decisions prior to kicking off a vendor risk management program. Expert advisory services can help define the parameters of the program. The next step is to get control of your third-party vendors, onboard them, and identify their inherent risks.

Key decisions at this step include:

  • What is the right mechanism for onboarding vendors? Will you use a manual process or spreadsheet template? Will you require integrations with procurement or vendor management systems?
  • Which factors will you consider in making vendor tiering decisions? For instance, which attributes or criticality concerns will impact how you tier specific vendors?
  • How will you collect information to assess inherent risk? Will you use an automated questionnaire? What inputs will be used to calculate inherent risk (e.g., operational, legal, regulatory, financial, and/or reputational data)?

When you first engage potential VRM solution providers, make sure they offer multiple mechanisms for onboarding vendors, suppliers and other third parties. This may include performing onboarding tasks on behalf of your team.

Also, ensure that their vendor tiering and inherent risk scoring methodology includes more than just surface-level questions. For instance, you may want it to include financial and supply chain considerations as well. Read the best practices guide for a full accounting of these attributes.

Step 2: Get Out of Spreadsheet Jail with Automation

The next step to proactive vendor risk management is to stop using spreadsheets for vendor risk assessments. Of course, you still need a way to collect evidence of security controls and perform due diligence reviews per your corporate standards and compliance requirements. Fortunately, you can automate this process and eliminate the redundant, soul-crushing assessment tasks that often lead to errors and risks.

Collection and due diligence review can take many forms. For instance, you can manage the assessment process yourself; access a library of completed questionnaires; or outsource collection to a partner. In fact, we see many companies successfully managing risks with a hybrid approach that taps different approaches for different tiers of vendors. Read our best practices guide for a comparison of each of these methods to determine which approach is best for you.

Key decisions at this step include:

  • Which questionnaire will be used to gather information about your vendor’s controls? Will you use industry-standard or proprietary surveys? (Hint: It depends on a combination of two things: 1) Which regulations or frameworks you plan on mapping the answers to. And 2) Whether you plan to share the results with a network.)
  • Which collection method(s) will you use? Do you have the resources and expertise to manage this in-house? Will you take advantage of networks of completed vendor responses to speed the process? Will you outsource collection to a partner? (Ideal for under-resourced teams or those without the bench strength.)

As with Step 1, make sure your VRM solution provider is flexible in terms of questionnaire availability and collection methods. You probably don’t want to be locked into a single rigid questionnaire that can't be customized. You also don't want to be forced to collect due diligence on your own, especially if you're short-staffed.

Step 3: Make Smarter Decisions with Continuous Risk Intelligence

The next step in building your vendor risk management frameworkis to validate third-party assessments with external cybersecurity and business risk intelligence. While periodic assessments are essential to understanding how vendors govern their information security and data privacy programs at a given point in time, a lot can happen to a vendor between assessments! This is where continuous monitoring can help.

Many organizations fall short here. Too many take a narrow, qualitative view of vendor risks and ignore more qualitative information. When combined and correlated, cybersecurity and business monitoring provide a more comprehensive view of vendor risk. This "outside-in” view gives you an edge in grasping the potential impact of vendor risk. It also augments your “inside-out” assessments to deliver a more informed and accurate risk score. But what types of monitoring information should you focus on?

  • Cybersecurity risk intelligence sources: Understanding weaknesses that are visible to attackers starts with uncovering compromised data on the dark web and cataloging security breach disclosures. It continues with gathering information on validated cyber attacks, infrastructure and IT policy violations, vulnerabilities, and other exposures.
  • Business risk intelligence sources: Insights on risks posed by operational issues, M&A activity, layoffs, leadership changes, product recalls, regulatory/legal probes, financial and bankruptcy notifications are all important qualitative inputs that add further context to the VRM process.

Read the best practices guide for a deeper dive into each of these intelligence sources.

With the right intelligence, you can help vendors clean up their open-source footprints and close security gaps in their internal processes. The process is similar to polishing your credit report prior to applying for a home loan.

Step 4: Fix What’s Important with Recommended Remediations and Reporting

Now comes the hard part: remediating the risks! Key considerations at this stage include:

  • Does your team have the expertise to recommend remediations to failed controls? Would it be helpful to automatically trigger pre-defined remediations when assessments flag specific risks?
  • How do you plan to project future risk (e.g., residual risk) over time after the application or enforcement of remediations? This will be important in board-level reporting.
  • How will you demonstrate a vendor’s compliance with a specific regulatory or industry framework? (Hint: Look for solutions that provide "percent-compliant" metrics against multiple regulations.)
  • How will you mitigate hidden threats that aren't revealing by assessment responses? (Be sure to ask if your VRM solution includes machine learning to analyze data and reveal hidden trends.)

Step 5: Take a Continuous, Intelligent and Automated Approach to Vendor Risk Management

The final step in moving toward more proactive VRM is to incorporate continuous and intelligent automation into your program over the long term. This includes taking advantage of solutions that can proactively and continuously assess, monitor and eliminate vendor risk. But what does "continuous, intelligent and automated" look like?

Continuous assessments

One way to achieve a more continuous, less reactive assessment model is to enable real-time cyber and business monitoring intelligence to inform your assessment schedule. With the right rules in place, you can correlate a vendor’s vulnerabilities, breaches or leaked credentials on the dark web with assessment responses revealing weak password management or patch management practices. You can then use these findings to trigger assessments. This level of automation truly closes the loop on third-party risk and transforms point-in-time assessments to continuous risk monitoring.

Intelligence from every corner

Making sound, risk-based decisions means consuming and normalizing data from a several sources. See our best practices guide for a diagram illustrating the inputs typically required to inform risk-based decision-making. Here are just a few:

  • Public and private sources, vendor risk intelligence and technology integrations can provide quantitative and qualitative insights into IT security risks, financial problems and other indicators of a vendor's cyber and business health.
  • The vendor community, completed assessments and industry partnerships also play a part. They provide member-supplied or crowd-sourced documentation and insights that can provide a preview into what risks vendors pose in specific industries.
  • Regulatory monitoring provides insights into control failures across regulated industries and can help anticipate the remediations required to reduce a vendor's residual risk.

Automation playbooks to streamline risk response

One way to achieve a more automated program is to leverage capabilities for triggering risk response actions based on “If This, Then That” criteria for specific entities and risks. Rules should automate a broad range of onboarding, assessment and review tasks. These can include updating vendor profiles and risk attributes, sending notifications, and/or activating workflows. They should also run perpetually to update the VRM environment as new events and risks emerge.

Next Step: Download the Best Practices Guide

Now that you have an idea of what an enterprise vendor risk management deployment looks like, be sure to uncover more details in best practices guide.

Prevalent delivers a complete vendor risk management solution that's unified by a single, easy-to-use platform. If you would like to learn more on how to construct your complete VRM strategy, request a demo today.

Tags:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo