Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

An Introduction to Supplier Risk Assessment

Supplier risk assessments are central to identifying threats to your supply chain, understanding their potential impact, and strengthening your business resilience. Follow these best practices to build an effective supplier risk assessment program at your organization.
Alastair Parr
Senior Vice President, Global Products & Services
October 24, 2022
Blog supplier assessment 1022

Supplier risk assessment is a fundamental component of many enterprise supplier risk management (SRM) programs. SRM has become a major focus for regulators and corporate boards as the COVID-19 pandemic, the Ukraine War, and other events have triggered shortages of goods ranging from fuel to semiconductors. These supply chain disruptions have driven record inflation and are spurring further geopolitical crises.

It’s clear that proactively assessing supplier risk is more important than ever. Supplier risk assessments can help you to understand how threats to companies in your supply chain could impact your organization’s ability to deliver its own products and services. Some types of supplier risk such as performance and event risk have been understood for half a century or more, while other types such as ESG risk and cyber supply chain risk are relatively new concepts.

What Is a Supply Chain?

Before we dive into the specifics of assessing supplier risk, let’s cover a basic question: What is a supply chain?

A supply chain is the sequence of processes required to produce a product or commodity. These sequences can be short and simple, such as a grower selling goods at a farmer’s market – or they can be long and complex, such as a consumer products organization that designs and markets its products but then relies on hundreds of third, fourth and Nth parties for raw materials, assembly, packaging and distribution.

What Is a Supplier Risk Assessment?

Supplier risk assessments comprise the backbone of broader supplier risk management (SRM) programs. A supplier risk assessment involves gathering data about a supplier’s information security and privacy controls, finances, ESG practices, corporate policies, incident response programs, Nth-party relationships, and other factors that may affect their business continuity and resilience.

Supplier risk assessments are conducted by sending questionnaires to key supplier contacts, analyzing the responses, identifying risks and their potential impact, and defining any required remediation or mitigation actions. Assessments are typically fielded during the onboarding phase, and follow-up assessments are conducted at a frequency and scope determined by the supplier’s services and criticality to the business.

If you are beginning to formalize a SRM program at your organization, you can leverage assessments to establish a baseline level of supply chain risk. If you have a more robust program already in place, conducting an assessment will enable you to measure current-state risk against acceptable levels and identify key remediation activities that you can undertake to reduce residual risk to an acceptable level.

How Does C-SCRM Factor Into Supplier Risk Assessments?

Supplier risk management (SRM) involves managing both IT and non-IT risk across the entire supply chain. Cyber-supply chain risk management (C-SCRM) is a subset of SRM that focuses exclusively on managing information technology risks, such as data breaches, control gaps, and non-compliance with data privacy and information security regulations. An effective vendor risk management program should include a significant cyber-supply chain risk management component, but C-SCRM by itself is not sufficient to mitigate supplier risk.

Cyber-supply chain assessments should include evaluations of each IT vendor’s security controls, information sharing policies, and privacy practices. In addition to assessment results and evidence about the vendor's cybersecurity and privacy programs, IT vendor profiles should include information about the type, sensitivity and amount of your organization’s data that they handle or have access to. This can enable you to rapidly identify vendors that pose a high degree of risk to your organization when breaches occur, or that may have gaps in their information security programs that weren’t identified during vendor onboarding.

Discover Best Practices for Supply Chain Resilience

Expand your knowledge of supplier risks and get prescriptive guidance for maturing your supplier risk management program.

Read Now
Feature srm definitive guide

Understanding Different Types of Supplier Risks

There are many risks to your organization's supply chain, ranging from weather events that impact deliveries, to unethical business practices by fourth- or Nth-party suppliers that lead to reputational damage. As you conduct risk assessments across your supply chain, it is important to understand and categorize the business continuity and resilience challenges your suppliers face. Supplier risk categories include:

  • Cybersecurity Risks
  • Compliance Risks
  • Business and Financial Risks
  • Event Risks
  • Corporate Social Responsibility and ESG Risks
  • Capacity Risks
  • Performance Risks

Cybersecurity Risks

Breaches, vulnerabilities, missing information security controls, and other cybersecurity threats are some of the most critical risks to evaluate during supplier risk assessments. Unlike physical products, customer data and other sensitive information can be transmitted and retained throughout your supply chain. Attackers can also leverage vulnerabilities in your technology supply chain to directly target your organization’s systems and data. This can lead to adverse outcomes such as data breaches, compliance violations, fines and lawsuits, and reputational damage to your organization.

Compliance Risks

Almost all organizations today fall under one or more data privacy or information security compliance requirements, such as GDPR, CCPA, HIPAA, PCI DSS, and dozens of others. Penalties for non-compliance can range from fines to personal criminal liability depending on the infringement and the regulation. Closely related to compliance risks are sanctions; for example suppliers that have been cited for doing business with state-owned enterprises or have engaged in money laundering or corruption.

Business and Financial Risks

Business failures and financial issues can cause severe disruptions to your supply chain, even if the disruption is with a fourth- or Nth-party supplier. Business and financial risks include executive turnover, M&A activity, bankruptcy, lawsuits and regulations that could impact a supplier's ability to deliver on a contract.

Event Risks

Recent years have shown just how badly unpredictable events can disrupt both organizational and global supply chains. COVID-19, the Suez Canal blockage, the Ukraine War, and increasingly devastating hurricanes and wildfires are just a few examples of events that caused enormous risk and financial stress to thousands of organizations and governments around the globe.

Corporate Social Responsibility and ESG Risks

At one time, organizations could meet the definition of corporate social responsibility (CSR) by giving back to the community through donations of time and money. However, CSR is increasingly associated with environmental, social and governance (ESG) practices. These include your company’s approaches to environmental sustainability; its relationships with customers, employees and communities; and how it deals with executive pay, internal controls and shareholder rights. Working with companies that have bad environmental track records, utilize forced labor as part of their supply chains, or engage in other corrupt practices can expose your organization to substantial reputational, civil and even criminal risk.

Capacity Risks

Whether driven by business events, economic conditions or natural disasters, suppliers may not be able to meet their delivery schedules. That’s why it’s important to continuously measure supplier capacity, including tracking current order status, performance against order history, supplier responses and acknowledgments. A proactive view of supplier capacity can help your organization be more agile when a disruption occurs.

Performance Risks

Closely related to capacity risks are supplier performance risks, which you can identify by measuring key performance indicators (KPIs). KPIs can include quality metrics, delivery performance, and criteria for meeting agreed-upon service levels. Supplier performance management is easier when you set contractual clauses with enforceable service level agreements (SLAs) and leverage a SRM dashboard that provides enterprise-level visibility.

The Supply Chain Resilience Toolkit

Based on ISO 22301 standard practices, the Supply Chain Resilience Toolkit provides instant access to expert guidance, customizable templates, and structured worksheets.

Access Now
Toolkit supply chain 0922

Five Keys to Effective Supplier Risk Assessments

Different organizations approach managing supplier risk in markedly different ways. The composition, focus and scope of a mature SRM program depends heavily on the organization’s industry sector and the size and complexity of its supply chain. Given that, below are five keys that apply to almost any supply chain across industries from retail to technology.

1. Profile and Tier Your Suppliers

Effectively evaluating your third-party suppliers based on profiled, inherent and residual risk is essential to your overall supplier risk assessment approach.

Profiled Supplier Risk

Profiled risk relates to the nature and criticality of products or services that a supplier provides to your organization. For instance, a computer manufacturer’s semiconductor supplier would pose more far risk than their packaging supplier would.

Inherent Supplier Risk

An inherent risk is an existing risk that the vendor poses prior to any remediation efforts taking place. Examples of inherent risk include poor financial posture, inadequate information security controls, or operational inefficiencies.

Residual Supplier Risk

Residual risk involves risk that is left over after a vendor has taken adequate remediation actions. It is up to your risk management team to determine whether residual risk is acceptable or unacceptable.

Each category of risk can be evaluated independently or combined to drive more informed, risk-based decisions and actions. Organizations with a high degree of profiled or inherent risk may require additional risk assessment and remediation efforts, such as:

  • Conducting more frequent internal assessments and/or continuous external monitoring
  • Requiring the supplier to pass an audit against an information security framework such as ISO 27001, SOC 2 or the NIST Cybersecurity Framework
  • Stipulating contract or SLA provisions related to information retention, destruction and compliance

Understanding and implementing an effective process to accurately determine profiled, inherent, and residual risk is the core building block to your overall supplier risk management program. Before conducting supplier risk assessments, ensure that you have a process-driven framework for scoring profiled, inherent and residual risk.

2. Align Your Supplier Risk Assessments with an SRM Framework

Basing your supplier risk assessments on a risk management framework can help to ensure that they follow best-practice guidance and minimize any coverage gaps. Many organizations align to NIST or ISO frameworks, depending on their industry and other factors. Specific NIST guidelines to consider include NIST CSF v1.1, NIST SP 800-53 and NIST SP 800-161. For ISO standards, start with ISO 27001, ISO 27036-2 and ISO 27701.

3. Don’t Underestimate the Importance of ESG

Assessing ESG risks should come front and center as you evaluate your supply chain and extended supply chain. Organizations with poor track records related to ESG are at risk for divestment, reputational damage, and customer blowback. Investors and customers are increasingly concerned about issues such as carbon emissions, deforestation, modern slavery, and corruption. As you conduct your supplier risk assessments, make sure you are accounting for ESG risks – not only for your direct suppliers, but also for fourth- and Nth-party suppliers in your extended supply chain.

4. Stay on Top of Compliance as Regulations Evolve

Assessing third-party compliance is a core element of an effective supplier risk management strategy. Compliance should be integrated at every level of your SRM program, from sourcing and selection to offboarding. Conducting an annual supplier risk assessment provides an opportunity to identify potential compliance gaps and address them with relevant stakeholders.

Regular assessments also enable you to evaluate your current compliance program against regulations that may have been issued or updated since you onboarded a supplier. For example, the German Supply Chain Due Diligence Act will take effect in 2023 and includes several critical requirements for organizations to combat modern slavery in their supply chains. Proactively assessing risk against regulations that may not yet be enforced enables you to get ahead of situations where you may need to switch vendors or require additional remediation prior to contract renewal.

5. Cover Gaps Between Assessments with Continuous Monitoring

Assessing suppliers as they are onboarded is critical, and it is equally important to conduct ongoing, regular risk assessments (e.g., annually) to stay on top of emerging risks and changes in each supplier’s operations. However, new threats and weaknesses can arise and impact your business at any moment. Of course, it’s impractical and virtually impossible to conduct questionnaire-based supplier assessments on a daily, or even monthly, basis. That’s where continuous risk monitoring solutions can help. By continually scanning and analyzing thousands of sources of cyber, business, financial and reputational intelligence on a supplier, you can identify and act on emerging risks before they affect your organization.

Next Steps

Supplier risk assessments can enhance your organization's resilience against supply chain disruptions due to business failures, reduce the risk and impact of third-party data breaches, and minimize reputational damage traced to shortfalls in supplier ESG practices.

Wondering how to get started? Learn more about our solutions for supplier risk management, our supplier risk monitoring service, and our procurement due diligence service. Interested in whether Prevalent solutions and services may be a fit for your organization? Request a demo.

Leadership alastair parr
Alastair Parr
Senior Vice President, Global Products & Services

Alastair Parr is responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent portfolio. He joined Prevalent from 3GRC, where he served as one of the founders, and was responsible for and instrumental in defining products and services. He comes from a governance, risk and compliance background; developing and driving solutions to the ever-complex risk management space. He brings over 15 years’ experience in product management, consultancy and operations deliverables.

Earlier in his career, he served as the Operations Director for a global managed service provider, InteliSecure, where he was responsible for overseeing effective data protection and risk management programs for clients. Alastair holds a university degree in Politics and International Relations, as well as several information security certifications.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo