Understanding your organization's third-party risk management lifecycle is crucial to identifying and remediating vendor and supplier risks. However, it’s a common mistake to view third-party risk management (TPRM) as a one-time risk assessment and remediation initiative.
The fact is, your organization encounters distinct risks at each step of the vendor relationship, so it’s important to develop a TPRM program that can address the entire third-party lifecycle. This post covers the key stages of the third-party lifecycle and shares best practices for mitigating risk at each stage.
Vendor risk management starts with vendor selection. In many cases, multiple teams are involved in the vendor selection process – each with different priorities. For instance, engineering may focus on prospective vendor’s ability to meet specifications; procurement on their business viability; security on their controls for protecting sensitive systems and data; and compliance on reporting and audits.
In addition, vendors often provide inconsistent and/or contradictory answers on vendor risk assessment questionnaires. This can make it extremely difficult to accurately gauge the risk they pose to your organization. These issues can become particularly acute when organizations lack a single source of truth for vendor information.
Use a Vendor Risk Management Database
Many organizations are still stuck using spreadsheets to correlate vendor risk assessment questionnaire answers with security controls, compliance, and other requirements. Consider using a vendor risk management database or a third-party risk management platform to speed selection, improve vendor risk identification, and maintain a single source of truth for vendor data.
Base Standardized Questionnaires on Profiled Risk
Each vendor has a different degree of profiled risk (i.e., risk related to the service they perform for your organization). A vendor dealing with personal identifiable information (PII) or protected health information (PHI) will have a dramatically higher risk profile than a plumbing company. Create standardized questionnaires for different vender tiers based on profiled risk. For companies with low profiled risk, a simple questionnaire may suffice, while companies that interact with your IT environment or sensitive data may need a more comprehensive questionnaire.
Incorporate ESG Into Your Vendor Selection Process
Environmental, social and governance (ESG) risk is becoming increasingly important for companies around the world. Both investors and consumers are beginning to expect that companies carefully consider the environmental, ethical and social costs associated with their third parties. Incorporating ESG risk from the beginning of the vendor risk management lifecycle alongside evaluations of security and data privacy controls can help you avoid companies with questionable track records regarding environmental destruction, modern slavery, and other ethically problematic business practices.
The process for onboarding vendors typically involves a manual or bulk upload of profile information. Connecting a pre-configured spreadsheet or API to an existing vendor management or procurement solution is a more efficient way to create a central repository of vendors. Leverage role-based access to enable different teams to populate vendor data and invite other employees to contribute.
Create a Formal Approval Process
There should be a documented, formal approval process for onboarding new vendors. Consider including standard templates for payment terms, invoicing, and information security standards as part of the supplier onboarding process.
Set and Communicate Realistic Onboarding Timeframes
Onboarding can be a long process. You need to provide vendors with credentials to access facilities or systems; ensure that they are able to perform their roles; and iron out payment terms and other processes. Make sure to set and realistic onboarding timeframes and clearly communicate them to both your vendors and internal departments.
Keep Compliance in Focus
Many organizations count on their initial third-party compliance assessment to ensure they are compliant throughout the vendor lifecycle. However, be sure to keep compliance requirements in mind as the contract matures. Scope creep is common, and vendors can sometimes be granted access to sensitive data and systems that weren’t accounted for in the early stages of the sourcing and selection process. Make sure that you fully understand where your data lives, and what your vendors have access to as part of the onboarding phase, and be sure to regularly review the vendor's access and adjust required security controls accordingly.
Automate Where Possible
Onboarding new vendors can be time consuming. Time constraints can become particularly acute when simultaneously onboarding multiple vendors. That’s why automation is key to a scalable third-party risk management program. For instance, you can automate questionnaire distribution and enable intake forms to be easily shared between team members.
Inherent risk scoring is a key part of the third-party risk management lifecycle. Not every vendor requires the same scrutiny. For example, an office supply vendor presents lower organizational risk than one providing critical parts or legal services. An organization located in a politically volatile location, with a history of breaches, or with poor credit history presents more risk and warrants increased due diligence.
To properly understand the risk posed by a vendor, you must be able to calculate inherent risk. This is the vendor’s risk level before accounting for any specific controls required by your organization. A comprehensive view of inherent risks provides a baseline and helps you decide what type of further due diligence is required. Once inherent risk is baselined, it is much more straightforward to calculate residual risk, or the risk level remaining after controls are applied.
Inherent risk can also inform vendor profiling, tiering, and categorization decisions. This accelerates risk assessments by ensuring vendors are assessed against the risks and standards that matter most to a business, its customers, and regulators or standards bodies.
Map Your Vendor Risk Assessment to Compliance Requirements
Questionnaires should reflect any compliance requirements that your organization falls under. If your vendor has access to sensitive information such as PII, PHI or financial information, you need to ensure that you map your organization's compliance requirements to your vendor risk questionnaires. Below are some questions that should come up during the risk assessment:
Don’t Go It Alone
Using a TPRM platform can dramatically speed up vendor risk assessments and allow you to quickly map questionnaire responses to compliance requirements. In addition, dedicated third-party risk management solutions like Prevalent offer built-in, customizable inherent risk questionnaires that can make it easy to seamlessly identify vendor risk.
Utilize Scoring to Normalize Results and Provide Actionable Insights
It’s important to understand the potential ramifications of a supplier’s failure to deliver products or services to your organization. Accordingly, you should leverage a scoring system to determine each supplier’s tier. This could include the following criteria:
Once you define supplier tiers, it should be easy to understand which suppliers are most critical. For example, you should be able to run a report on all suppliers that are US-based, handle personal data, and are top-tier.
Having vetted information earlier in the process and in an easily accessible location enables you to “right-size” due diligence initiatives, focus on vendors with the highest risk, and speed the overall process.
Navigating the Vendor Risk Lifecycle: Keys to Success
This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.
The level of risk posed by different third parties will vary according to their criticality to your business and other factors. Likewise, the criteria for each tier of third parties will also vary. For instance, the criteria for a parts vendor will be different from those used for evaluating cloud hosting services.
Organizations with immature TPRM programs may address different vendor tiers by creating individual, spreadsheet-based surveys for each new project; constantly “reinventing the wheel.” Responses to these surveys can differ in the level of detail and completeness, making it difficult to evaluate overall risk and required controls. Tracking open items that require remediation and ensuring that remediation controls are consistent and adequate can be difficult, putting unnecessary demands on scarce security, risk, and compliance resources.
Leverage a Shared Library
Third-party risk management processes can be taxing for under-resourced teams. Data collection processes and vendor back-and-forth communications account for the largest share of time needed to reduce risk and complete assessment assurance. Compounding this issue is the ever-shifting regulatory landscape, which requires expertise to interpret compliance reporting obligations. Achieving compliance and meeting vendor risk management requirements while maximizing your team’s skill sets is a balancing act, for sure.
To accommodate resource constraints, many organizations – especially those with a solid vendor tiering plan – choose to leverage completed content already submitted and shared within an industry exchange. These vendor exchanges are self-fulfilling prophecies – the more vendors participate, the greater the overlap with other enterprises. This speeds the risk identification and mitigation processes and minimizes the time spent collecting data.
Ensure Questionnaire Flexibility
Vendor risk questionnaires aren’t “one size fits all.” Utilizing a third-party risk management platform that has multiple options for questionnaires, as well as the ability to generate custom questionnaires, can make vendor assessments far simpler. Using a dedicated platform can reduce the manual labor behind vendor survey and response management by 50% and ensure that assessment questionnaires are appropriately matched to each vendor’s profiled risk.
Save Time with Built-In Remediation Guidance
Sometimes vendor assessments reveal concerning facts. It may be that the vendor in question has experienced a data breach, isn’t compliant with data privacy regulations, or lacks a formal cybersecurity program. Platforms that deliver built-in remediation guidance can provide straightforward templates for remediation requests, plus workflow and task management capabilities to facilitate and streamline the entire process.
Compliance Reporting Matters
In many cases you need to consider information security and data privacy compliance when working with vendors. When you are identifying your third-party risk management strategy, consider how different platforms handle compliance reporting. Utilizing a TPRM platform that includes automated compliance reporting for an array of national and international compliance requirements can dramatically simplify audits and reduce the risk of non-compliance.
Although periodic assessments are essential to understanding how vendors govern their information security and data privacy programs, a typical risk assessment can only provide a snapshot of your organization’s risk profile at a single point in time. This profile can change overnight as threats evolve, new breaches and business challenges are disclosed, or other adverse conditions arise. Constant monitoring of a third party’s cybersecurity practices is important. So too is gaining visibility into other types of business changes such as financial, reputational, compliance, and supply chain issues that can create business risk.
Unfortunately, this data is rarely available in a way that enables security and risk teams to be quickly notified, and it is often not integrated into a central register for decision making. Instead, many organizations rely on manual processes, disparate tools, vendor notifications, and news reports.
Don’t Forget Fourth and Nth Parties
It can be tempting to diligently monitor your third parties while forgetting about their third parties and Nth parties. If your vendor relies on other companies to fulfill contracts and run their business, then your organization may ultimately be impacted by any security exposures or operational issues affecting these other parties. During the risk assessment process, you should therefore identify any fourth parties that are critical to your third party’s success. Consider a scaled-back cyber and financial monitoring process for fourth parties based on their risk to your third party.
Consider Multiple Types of Cyber Risk
Identifying vulnerabilities in a vendor’s public-facing IT systems is only part of the continuous monitoring equation. It’s important to go beyond vulnerability scanning to reveal other indicators of cyber risk, including:
Don’t Stop at Cyber Risk
Many companies focus on cyber risk because it is usually easily quantifiable and straightforward to address. However, cyber risk monitoring should be complemented by business, financial, and reputational monitoring. When building out your third-party monitoring program, be sure to account for these other types of risk. Some questions to consider:
Free Business & Financial Risk Monitoring for 20 Vendors
Get complimentary access to business and financial risk intelligence on 20 vendors with Prevalent Vendor Threat Monitor (VTM). This is a free product with no time limit and no credit card required!
Managing risk is a continuous process. Even reliable partners can experience disruptions, and incentives to implement promised controls can wane once an agreement is signed. This changing risk environment requires not only continuous external risk monitoring, but also ongoing visibility into vendor performance obligations.
Some vendors may require scrutiny to ensure remediation commitments are met, and all should be measured against their service level agreements (SLAs). Trying to manage this with spreadsheets or other manual methods can increase the likelihood of missed SLAs and associated business disruptions.
Regularly Assess Vendor Performance
It can be tempting to take a one-and-done approach to assessing vendors. However, this can lead to bad work outcomes and failed business relationships. Performing periodic assessments to ensure that vendors meet their SLAs and other contractual obligations can help catch any issues early.
Define the Right KPIs and KRIs
Defining the right key performance indicators and key risk indicators is critical to effectively evaluating vendor performance. KPIs can help you ensure that contractual obligations are fulfilled and business objectives are met throughout the contract lifecycle. KRIs can inform your understanding risks posed by vendors from onboarding to offboarding.
Risk can persist after vendor relationships end. An offboarded vendor holding sensitive data must return and/or securely destroy that data; access to internal systems needs to be terminated; and support obligations may outlive a purchase agreement. However, in a recent study, Prevalent found that 60 percent of companies are not actively assessing third-party risks during onboarding. This presents business, security, and IP exposures that are often overlooked.
Don’t Assume Data Has Been Deleted
It’s common to assume that third parties will delete sensitive customer data and other information upon termination of their contracts. However, this is not always the case. Take the time to reach out to your third parties and ensure that any sensitive information has been erased. It is worth getting this in writing to ensure that there is an audit trail in the case of future incidents.
Confirm that Access to Physical and IT Infrastructure Is Revoked
Once you’ve offboarded a vendor, it’s important to validate that your IT and facilities teams correctly deprovision contractor employees. Take the time to confirm that all access to buildings has been revoked and that all cloud and IT environment permissions are removed. Even if your vendor accidentally retains access, a future breach can result in your company being exposed as well. Implementing workflow-based checklists in a central TPRM platform can help ensure a secure offboarding process.
Perform a Thorough Contract Review
Once a vendor completes their work for your organization, thoroughly review the contract and ensure that all deliverables have been met. Don’t just assume that all milestones and KPIs have been met.
It’s no secret that vendor responsibilities and access can change throughout the vendor lifecycle. Take the time to thoroughly review what systems and data your vendor has accessed. Consider the following questions:
Asking these questions can help ensure that you maintained compliance with applicable requirements. It can also provide valuable insight into how you can more effectively manage vendor compliance.
Third-party risk management can be difficult. There are dozens of moving parts across multiple departments, and it can be challenging to coordinate third-party risk assessments, ensure compliance requirements are met, and satisfy different siloed departments. The Prevalent Third-Party Risk Management Platform makes navigating the vendor lifecycle dramatically easier. Learn more about our approach by reading our best-practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or request a demo today.