Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions
Vendor risk assessment reports are essential to your third-party risk management program. Beyond highlighting program weaknesses or gaps in security controls, good reports also help strengthen vendor relationships, demonstrate proper due diligence and risk management to regulators, and shed light on best-practice security controls.
So, what makes a good vendor risk assessment report? Broadly, there are three core elements to consider: continuous vendor risk assessment, regulatory compliance, and cybersecurity reports for vendor due diligence. In this article, we go over these core elements and other critical considerations in your vendor assessment reports.
Gone are the days where vendor evaluations were conducted using a “one-and-done” approach. To stay on top of evolving threats, it’s critical to conduct the vendor risk assessment process on a regular basis. This is typically done with a pair of report types: initial risk summary reports and final risk summary reports.
The Initial Risk Summary Report provides internal teams and third-party vendors with details on risks in their environments that require mitigation or compensating controls. You can think of it as a “pre-test” that identifies where the third party is doing well and where they need to improve. The report should be flexible enough to display risk ratings and other important details, while allowing stakeholders to drill-down to the most critical vulnerabilities. Mature third-party risk programs use this type of report to add leverage to vendor discussions and negotiate remediation commitments.
The Final Risk Summary Report builds on the Initial Risk Summary Report by detailing any justified risk adjustments, remediation plan commitments, and/or compensating controls. It essentially documents what you are going to do about the risk. It should also be a living report that is updated whenever a risk is identified, verified, or mitigated – or when specific incidents or alerts otherwise call for an update. This report serves to document vendor commitments, record implemented security measures, and keep track of any related vulnerabilities revealed after the initial controls assessment.
Regulators often require both Initial and Final Risk Summary Reports as evidence of a closed-loop process whereby you inform vendors of any vulnerabilities revealed during assessments, track and validate risk remediation, and continuously communicate met and missed commitments.
Regulators need to determine if your third-party risk management complies with best practices for vendor risk assessment, and reporting can make or break your compliance initiatives.
Compliance reports function as TPRM table stakes. However, they can also provide internal visibility into these best practices, so department leaders can make informed decisions that also align with compliance goals. For example, privacy departments need risk reports that include context around CCPA, GDPR and other compliance regulations.
Think of each compliance regulation or framework as a different language. Your vendor risk assessment data needs to be translated into each language for effective compliance reporting. That’s why your third-party risk management solution should include capabilities like risk-to-compliance mapping, compliance-specific dashboards, and reporting on “percent-compliant” for individual regulations.
To speed compliance reporting and gain visibility into each vendor’s level of compliance, start by establishing a compliance “pass” percentage threshold for each risk category. Your reports should tie back to percent-compliant ratings, enabling your assessment team to focus on areas where compliance pass rates are low.
Also, don’t stop at the vendor level. Conduct compliance at a macro level across all vendors. This will be important for the board as they seek to determine how compliant the vendor portfolio is against the ever-changing and new regulations.
Prevalent has a detailed white paper on third-party risk management and compliance that extracts the specific requirements set forth in multiple regulations and industry frameworks; explains what those requirements mean; and then maps key solution capabilities into the requirements to demonstrate how a complete TPRM platform can help ease the burden of compliance.
eBook: 25 KPIs and KRIs for Third-Party Risk Management
The 25 Most Important KPIs and KRIs for Third-Party Risk Management will put you on the path to more effective communication regarding your TPRM program.
For decades, information security has looked for a crystal ball to share “behind-the-curtain” information on how secure a vendor’s cybersecurity posture really is. These methods have included asking the vendor to respond to content collection questionnaires, running threat intelligence reports, and performing onsite visits. Onsite visits are at a disadvantage these days. The fundamental trust, verify, validate approach is still in play and a complete vendor assessment report can provide information such as:
• Average risk by score and status
• Risks by likelihood
• Highest risks by vendor
• Risks by impact
• Common identified risks
• Risks per business impact area
• Trending of risk over time by score/impact/likelihood
• Projection of risk score/impact/likelihood over time
Executives ask for overall visibility into the third-party risk profile to confidently report to the board. This leaves it very difficult for assessors to manually consolidate the information from multiple sources. During the vendor due diligence review, the analyst will quickly need to highlight exceptions in common behavior – for example, outliers across assessments, tasks, risks, etc. – that could warrant further investigation. For more mature programs that have elevated their third-party risk management program to a governance program, the analyst will have the ability to take advantage of machine learning analytics to correlate complex datasets and see potential hidden trends.
If these top 10 items are not capabilities of a platform under review, then think twice before investing. Missing one of these capabilities will set you back in time and hinder the ability to focus on managing your risks. The top 10 capabilities are:
So, as you can see, vendor risk assessment reports come in all different flavors. “You cannot manage what you do not measure” continues to stand the test of time. Perhaps in the future, we will look back and realize that the past year gave us the insight to brush up on our reporting capabilities to secure resiliency. If I were to offer a single sentence to summarize this blog it would be: Focus on the data you collect, slice and dice the data into views appropriate for the recipient, and do so with a target to manage risk at every level of complexity.
Prevalent offers vendor risk assessment solutions that automate and accelerate your risk management initiatives. If you'd prefer to shift the burden of the assessment process, then we also offer a range of vendor risk assessment services where our experts can do the hard work for you. Not sure where to start? Sign up for a free TPRM program maturity review, where we will map your current program against best practices and deliver a set of recommendations for meeting your vendor assessment objectives.
Here are 7 ways to leverage machine learning analytics and reporting in your third-party risk management program.
Consider these best practices to limit your risk exposure when offboarding vendors and suppliers.
Software supply chain attacks are driving new efforts to standardize software bills of materials. Here are...