What to Look for in a Vendor Risk Assessment Report

Vendor risk assessment reports are essential to your third-party risk management program. Good reports help strengthen vendor relationships, demonstrate proper due diligence, and shed light on best-practice security controls.
By:
Brenda Ferraro
,
Vice President of Third-Party Risk
April 13, 2021
Share:
Blog vendor risk assessment report 0421

Vendor risk assessment reports are essential to your third-party risk management program. Beyond highlighting program weaknesses or gaps in security controls, good reports also help strengthen vendor relationships, demonstrate proper due diligence and risk management to regulators, and shed light on best-practice security controls.

So, what makes a good vendor risk assessment report? Broadly, there are three core elements to consider: continuous vendor risk assessment, regulatory compliance, and cybersecurity reports for vendor due diligence. In this article, we go over these core elements and other critical considerations in your vendor assessment reports.

Continuous Vendor Risk Assessment Reporting

Gone are the days where vendor evaluations were conducted using a “one-and-done” approach. To stay on top of evolving threats, it’s critical to conduct the vendor risk assessment process on a regular basis. This is typically done with a pair of report types: initial risk summary reports and final risk summary reports.

Initial Risk Summary Reports

The Initial Risk Summary Report provides internal teams and third-party vendors with details on risks in their environments that require mitigation or compensating controls. You can think of it as a “pre-test” that identifies where the third party is doing well and where they need to improve. The report should be flexible enough to display risk ratings and other important details, while allowing stakeholders to drill-down to the most critical vulnerabilities. Mature third-party risk programs use this type of report to add leverage to vendor discussions and negotiate remediation commitments.

Final Risk Summary Report

The Final Risk Summary Report builds on the Initial Risk Summary Report by detailing any justified risk adjustments, remediation plan commitments, and/or compensating controls. It essentially documents what you are going to do about the risk. It should also be a living report that is updated whenever a risk is identified, verified, or mitigated – or when specific incidents or alerts otherwise call for an update. This report serves to document vendor commitments, record implemented security measures, and keep track of any related vulnerabilities revealed after the initial controls assessment.

Regulators often require both Initial and Final Risk Summary Reports as evidence of a closed-loop process whereby you inform vendors of any vulnerabilities revealed during assessments, track and validate risk remediation, and continuously communicate met and missed commitments.

Vendor Risk Assessment Reports for Compliance

Regulators need to determine if your third-party risk management complies with best practices for vendor risk assessment, and reporting can make or break your compliance initiatives.

Compliance reports function as TPRM table stakes. However, they can also provide internal visibility into these best practices, so department leaders can make informed decisions that also align with compliance goals. For example, privacy departments need risk reports that include context around CCPA, GDPR and other compliance regulations.

Think of each compliance regulation or framework as a different language. Your vendor risk assessment data needs to be translated into each language for effective compliance reporting. That’s why your third-party risk management solution should include capabilities like risk-to-compliance mapping, compliance-specific dashboards, and reporting on “percent-compliant” for individual regulations.

To speed compliance reporting and gain visibility into each vendor’s level of compliance, start by establishing a compliance “pass” percentage threshold for each risk category. Your reports should tie back to percent-compliant ratings, enabling your assessment team to focus on areas where compliance pass rates are low.

Also, don’t stop at the vendor level. Conduct compliance at a macro level across all vendors. This will be important for the board as they seek to determine how compliant the vendor portfolio is against the ever-changing and new regulations.

Prevalent has a detailed white paper on third-party risk management and compliance that extracts the specific requirements set forth in multiple regulations and industry frameworks; explains what those requirements mean; and then maps key solution capabilities into the requirements to demonstrate how a complete TPRM platform can help ease the burden of compliance.

eBook: 25 KPIs and KRIs for Third-Party Risk Management

The 25 Most Important KPIs and KRIs for Third-Party Risk Management will put you on the path to more effective communication regarding your TPRM program.

Download Now
The 25 Most Important KP Is and KR Is for Third Party Risk Management GRC Thumbnail

Vendor Cyber Risk Reporting

For decades, information security has looked for a crystal ball to share “behind-the-curtain” information on how secure a vendor’s cybersecurity posture really is. These methods have included asking the vendor to respond to content collection questionnaires, running threat intelligence reports, and performing onsite visits. Onsite visits are at a disadvantage these days. The fundamental trust, verify, validate approach is still in play and a complete vendor assessment report can provide information such as:

• Average risk by score and status

• Risks by likelihood

• Highest risks by vendor

• Risks by impact

• Common identified risks

• Risks per business impact area

• Trending of risk over time by score/impact/likelihood

• Projection of risk score/impact/likelihood over time

Executives ask for overall visibility into the third-party risk profile to confidently report to the board. This leaves it very difficult for assessors to manually consolidate the information from multiple sources. During the vendor due diligence review, the analyst will quickly need to highlight exceptions in common behavior – for example, outliers across assessments, tasks, risks, etc. – that could warrant further investigation. For more mature programs that have elevated their third-party risk management program to a governance program, the analyst will have the ability to take advantage of machine learning analytics to correlate complex datasets and see potential hidden trends.

Top 10 Vendor Risk Reporting and Remediation Capabilities

If these top 10 items are not capabilities of a platform under review, then think twice before investing. Missing one of these capabilities will set you back in time and hinder the ability to focus on managing your risks. The top 10 capabilities are:

  1. Built-in remediation guidance and risk recommendations
  2. A unified reporting framework with question-answer mapping to any regulatory or industry-standard framework, guideline or methodology
  3. Regulatory compliance, framework and guideline-specific reports such as for CMMC, ISO 27001, NIST, GDPR, CCPA, CoBiT5, SSAE18, and NYDFS
  4. Ability to show percent-compliant and pass thresholds
  5. Deep reporting by the vendor and across all vendors
  6. Projection of risk scoring overtime after remediations are conducted and risks are mitigated
  7. Automated workflows and ticketing communications
  8. Built-in reporting templates and status across multiple security, compliance and privacy regulations
  9. Executive and operational dashboards
  10. Risk association and relationships to harmonize and normalize risk across multiple content gathering sources

So, as you can see, vendor risk assessment reports come in all different flavors. “You cannot manage what you do not measure” continues to stand the test of time. Perhaps in the future, we will look back and realize that the past year gave us the insight to brush up on our reporting capabilities to secure resiliency. If I were to offer a single sentence to summarize this blog it would be: Focus on the data you collect, slice and dice the data into views appropriate for the recipient, and do so with a target to manage risk at every level of complexity.

Next Steps

Prevalent offers vendor risk assessment solutions that automate and accelerate your risk management initiatives. If you'd prefer to shift the burden of the assessment process, then we also offer a range of vendor risk assessment services where our experts can do the hard work for you. Not sure where to start? Sign up for a free TPRM program maturity review, where we will map your current program against best practices and deliver a set of recommendations for meeting your vendor assessment objectives.

Tags:
Share:
Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk

Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo