Avoid These 5 Gotchas of Vendor Risk Management

Even the most mature vendor risk management programs can fall prey to complexity and poor planning. Use this checklist to benchmark where your VRM processes stand and where you can improve.
Brenda Ferraro
Vice President of Third-Party Risk
August 26, 2020
Blog 5 gotchas vrm 0820

In my experience building vendor risk management programs at several companies, there are five categories of “gotchas” that risk management teams must look out for. These gotchas include everything from not having simple vendor contact information, to not presenting the right risk metrics to the board. Each can lead to onboarding delays, missed risks, and compliance failures if not addressed immediately.

To help you avoid some of the same pitfalls that I have experienced, I’ve put together a checklist of questions to ask and areas to investigate.

1. Not Knowing Your Vendor Universe

If you don’t know who your vendors are, how can you assess them?

  • How complete is your vendor universe list? Do you know your vendors and the total number of vendors?
  • Are there multiple departments onboarding vendors? (e.g., $5,000 authorizations enable anyone to purchase a service.)
  • Do you have point-of-contact details for all vendors?
  • Who is the business point-of-contact?
  • Who owns the risk in the vendor relationship?
  • Do you understand the engagement with the vendor (e.g., what service they provide)?
  • Can you “follow the data” of the service to the Nth party?
  • Does your existing process lead to the perception that vendor risk management is a roadblock instead of an enabler?
  • Are selection, onboarding and renewal decisions made with profiling, inherent risk, and residual risk data?

2. Program Deficiencies

Without must-have controls in place, what are you assessing against?

  • What criteria are used to make tiering decisions? Spend, engagement, risk tolerance?
  • What criteria are used to make due diligence decisions? By data that the vendor handles (e.g., sensitive, confidential, proprietary) or by category of service provided?
  • How are you identifying and reviewing controls that matter to your business?
  • Do you have a steering committee in place to help make decisions?
  • Who are the control owners?
  • What is the internal staff skill level? Is there a playbook in place to help them handle processes and incidents?

3. Complex Requirements for Due Diligence

How difficult and costly are your assessments?

  • What intake/request management process do you have in place? Email? How are important vendor attributes captured?
  • How transparent is the vendor request process?
  • How many different questionnaires are being used to assess vendors? Are there opportunities to consolidate?
  • How are you managing information overload? Is there a process in place to associate a questionnaire response with outside validation (e.g., threat scores or alerts)?
  • Is due diligence used in procurement or sourcing for vendor selection?

4. Unclear Risk Scoring and Disposition

How are you harmonizing questionnaire results and vendor threat intelligence?

  • Are impact and likelihood considered when calculating risk scores?
  • Are thresholds in place to identify what risks require attention? (The alternative is that all risks are reviewed and require response from the vendor causing delay and waste.)
  • Are risk remediation recommendations and timelines clear to all parties – assessor, vendors, etc.?
  • How are risks tracked to closure?
  • Are there identified business owners for risks?
  • Is there an exception/disposition process or workflow in place?
  • Is there a way to measure the effectiveness of risk reduction over time? (e.g., are risk indicators or milestones available?)

5. No KPI and KRI Metrics or Reporting

If it’s not reportable, how do you change the culture?

  • Is the organization working in silos? If so, how is risk reporting bridging the divide?
  • What key performance indicators (KPIs) are in place to measure the effectiveness of the TPRM program or of the vendors?
  • Are service level targets communicated, understood, and met?
  • Are key risk indicators (KRIs) in place to measure risk reduction real-time and trending over time?
  • How are risks tracked and reported?
  • Is reporting manually created? If so, what could be missing?
  • What metrics and risk status is being presented to the board? Is it being used to support data driven decisions?

These gotchas and questions certainly aren’t exhaustive, but they represent the most common stumbling blocks many vendor risk management programs face as they evolve their processes.

Download our white paper, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, for more best practices – or request a demo to discuss your program requirements with our experts.

Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk

Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo