Vendor risk assessments are an invaluable tool in your third-party risk management program. Conducting a vendor risk assessment prior to onboarding a new supplier or giving a third-party access to business-critical systems is essential to maintaining your cybersecurity posture. Vendor risk assessments aren’t perfect. They don’t always provide a full picture of the risk an outside organization poses. However, regularly conducting assessments as part of your information security program can dramatically reduce your organization's risk of suffering a security incident or a significant business disruption from a third-party supplier.
A vendor risk assessment is a process used by companies to evaluate and understand the risks they may face from working with third parties, such as vendors, contractors, and other service providers. Third-party vendors can introduce inherent risk in the form of financial, cybersecurity, information security, operational, compliance, and even reputational risks to your organization. Analyzing each of these categories is necessary when properly vetting potential vendors. Below are some things to consider when evaluating third-party vendors and their risks.
Vendor risk assessments are conducted by using open source intelligence, vendor risk assessment questionnaires, and compliance assessments to ensure that the vendor is likely to be able to effectively meet contractual obligations. As the assessment process continues, vendors may be asked to mitigate unacceptable risks by changing business processes, adding additional information security controls, or dropping Nth party vendors who may pose a business risk. Third-party risk management assessments should be carried out with a consistent approach and applied to all providers on the basis of a well-documented vendor risk management plan.
By taking a uniform approach to vendor risk management and risk assessment processes, organizations can standardize metrics used to evaluate vendor relationships, accurately evaluate potential supplier data security practices against their peers, and identify low-risk vendors.
Within the past 2 years, the world has witnessed major supply chain disruptions from COVID-19, the SolarWinds data breach, the Suez Canal blockage, and a semiconductor shortage. Thousands of organizations saw substantial business disruptions, loss of reputation, and declines in profitability from these events. Many were not preventable, but in many cases organizations that had an effective third-party risk management program in place dramatically reduced the disruption and damage they suffered. Having a comprehensive, defined, and uniform vendor risk assessment process in place enables companies to confidently onboard new suppliers with less risk of ethical, legal, or cyber disruption to their supply chain.
The cost to implement a streamlined and effective vendor due diligence process to weed out high-risk third-party vendors is far less for most organizations than the damage a disruption can cause. Third-party risk assessment workflows that focus on operational risk, business continuity, and security risks can enable your organization to improve supply chain resilience, reduce compliance risk, and streamline the procurement lifecycle. Having an effective vendor risk assessment process is critical to any organization that engages with numerous vendors in 2021.
Broadly speaking, the basic calculation for risk is Likelihood x Impact = Risk. For example, take the case of a hospital vendor that is processing large amounts of PHI but is not compliant with HIPAA. Under HIPAA they would be classified as a business associate and would fall under the same regulatory scrutiny as the healthcare provider. In this case, the impact is a large fine to both the healthcare provider and the business associate (high), and the likelihood is chance that their non-compliance would be discovered by regulators (high). This would represent an unacceptable risk for any healthcare organization and would likely result in the termination of the contract.
The above example highlights the importance of conducting thorough vendor risk assessments. This is even more important for organizations dealing with large amounts of sensitive data such as government contractors and healthcare providers. In many cases, regulations such as HIPAA will hold the primary organization responsible for vendor non-compliance.
There are three primary types of risk when dealing with third parties. There is profiled risk, inherent risk, and residual risk. Here is a brief breakdown of the three:
Profiled Risk relates directly to the relationship the vendor will have with your organization. Certain vendors pose more risks. For example, a credit card processing company likely poses substantially more risk to your organization than a digital advertising agency. Organizations that pose a higher level of profiled risk require extra scrutiny during the vendor selection process.
Inherent Risks refer to risks that the vendor poses due to their own information security, operational, financial and other business practices prior to implementing any controls required by your organization. Determining a potential vendor’s inherent risk score requires a combination approach of utilizing detailed vendor assessment questionnaires and external threat monitoring.
Residual Risk is the level of leftover risk once the organization in question has implemented your organization’s mandatory controls. Residual risk can never be eliminated, but it can be brought to a level that the organization deems acceptable.
In a perfect world, risk could be eliminated entirely. Unfortunately, when working with any third party there will always be some element of risk. Before assessing potential vendors for a project, you need to define what level of risk is acceptable. This can make vendor selection and the entire third-party risk management process faster, more efficient, and more uniform. This enables you to easily identify vendors that clearly won’t meet your business objectives and risk tolerance. In addition, it can help clarify which controls you need to require of vendors before working with them.
You should have a process with standardized controls and requirements in place. This will enable you to evaluate vendors and make risk comparisons without having to normalize numerous questionnaires and inputs across multiple companies and departments. Having a well-defined process enables your organization to evaluate potential business risks and make data-backed decisions when choosing one vendor over another.
Tailoring your assessment process to the unique needs of your organization is critical. If your organization utilizes large international supply chains, you may want to focus on risks related to contract delivery. Conversely, if your vendors will be handling sensitive information, you may want to focus more on information security and cybersecurity. Organizations that have a high degree of profiled risk (such as financial institutions, accounting firms, and legal firms) should come under extra scrutiny. If you’re overwhelmed by creating a process, consider taking a look at our vendor risk management checklist.
The first step for most organizations when evaluating a potential vendor is to send a questionnaire. Questionnaires may cover a variety of topics including information security practices, compliance requirements, financial stability, and fourth and Nth party supplier data. Using a well-designed questionnaire that is tailored to your industry data security and compliance needs is absolutely critical when evaluating vendors. In some cases, organizations will already have an information security certification such as CMMC or SOC2 which can enable you to focus less on the potential vendor’s information security practices. Some organizations choose to stratify their vendor risk assessment approach based on the organization’s profiled risk.
Many organizations choose to employ frameworks when designing their vendor assessment questionnaires such as the NIST Cybersecurity Framework, ISO 27001, and NIST 800-30 to ensure that questionnaires are standard across the supply chain and reflect best practices. If you require your suppliers to be compliant with specific regulations such as the GDPR or PCI, it may be worth incorporating questions around those standards directly into your vendor risk management program. To learn more about how organizations use NIST and ISO to build their SCRM and TPRM programs, take a look at our Third-Party Risk Management Frameworks post.
The next piece to consider is what information you can find from open-source intelligence sources. Take the time to conduct extensive research on your vendor. Look for news reports, basic financial information, and fourth-party relationships that could cause disruption. In addition, ask for references of customers that resemble your project in size and scale. Checking with other organizations that have used the vendor’s services can provide invaluable insight into their ability to contractually deliver. Examine their business practices, raw material sourcing, and other key business processes that could pose reputational or ethical concerns to your business. Some organizations choose automated vendor threat monitoring software that enables them to automate risk scoring and vendor evaluation.
Organizations suffer data breaches all the time. Using a third-party risk management platform such as Prevalent enables you to identify organizations that have suffered a data breach recently, or whose employees have a large number of credentials (emails and passwords) exposed online. Working with companies that have a large number of user credentials exposed online poses an enormous risk to the business relationship. They are dramatically more likely to be the subject of a data breach that could derail your supply chain.
You may feel that once you’ve vetted and selected a vendor your work is done, but this couldn’t be farther from the truth. Due to the proliferation of supply chain risks, compliance requirements, and the increasingly fraught world of cybersecurity, engaging in continuous monitoring is critical for any major vendor that you bring on.
Risks can be categorized as either acceptable or unacceptable. Unacceptable risks will need to be remediated prior to working with the vendor. Remediating Third-Party Risks can take a variety of forms. An organization may choose to ask a potential vendor to achieve a security certification such as SOC2, to cease relationships with 4th and Nth party vendors, or to change business practices that could cause supply chain or other disruptions.
In addition, organization’s should have a third-party incident response strategy in the event that a vendor suffers a data breach or other disruption. Having a defined strategy for dealing with risks that materialize can dramatically cut down on the time it takes to mount an effective response and reduce disruption to your organization.
Jump Start Your Vendor Risk Assessments
Prevalent Jump Start Assess enables you to survey your top vendors, score their risk, and gain remediation guidance. With services included, Jump Start enables you to launch your TPRM program in about 30 days!
Once you've evaluated vendors for a particular product or service, it’s worth taking the time to compare them based on the risk of working with them. Separating prospective suppliers into risk classes will assist you in determining whether or not to partner with them and if so, expediting the risk management preparation process. First, depending on the risk requirements, assign a high, medium, or low-risk rating to the vendor. Then assign a market effect ranking to the vendor. In other words, how critical is the vendor's product or service to your business? Finally, determine how much due diligence you'll do on suppliers based on their risk rating. This simplifies the procedure which increases efficiency and accuracy.
In many cases, you will be left with a clear choice. In other cases, you might find that a vendor perfectly meets your business requirements, but also poses an intolerably high level of risk to your organization. Depending on the size of the contract and the strength of the existing business relationship, it may be possible to request the organization to undertake risk remediation. For example, if you are a healthcare organization, you might need to request that they meet HIPAA compliance requirements in order to work with your organization.
Vendor risk assessments are essential for businesses in 2021. Supply chain, geopolitical, and cybersecurity risks continue to grow in an environment with a highly interconnected global business community. Effectively using vendor risk assessments during the selection and onboarding process can dramatically reduce the risks that third parties pose to your organization. Prevalent offers a simple, cost-effective platform that can help you evaluate risks ranging from data breaches to non-compliance. Request a personalized demo to discuss your specific needs with a Prevalent expert.