Vendor Risk Assessment: The Definitive Guide

Conducting a vendor risk assessment prior to onboarding a new supplier or giving a third-party access to business-critical systems is essential to maintaining your cybersecurity posture.
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer
April 18, 2022
Blog vendor risk assessment 0521

Vendor risk assessments are a critical component of third-party risk management programs. When leveraging third-party solutions and services, it's important to understand the potential risks they can introduce to your organization. These can include cybersecurity, data privacy, compliance, operational, financial, and reputational risks. Conducting assessments can help you to reveal and remediate these risks throughout the vendor lifecycle.

Vendor risk assessments not only enable your organization to proactively identify and mitigate third-party risks, but also help it to be better prepared for when incidents do occur. Well-managed assessments can also strengthen vendor relationships, demonstrate proper due diligence to regulators, and shed light on best-practice security controls.

Vendor Risk Assessment Definition and Risk Types

What Is a Vendor Risk Assessment?

Vendor risk assessment is a process used by companies to evaluate the risks they may encounter when working a third party, such as a vendor, supplier, contractor, or other business partner. Assessments are typically conducted at various stages in the vendor management lifecycle, including:

  • During sourcing and selection, to identify and shortlist low-risk vendors
  • During onboarding, as due diligence to gauge inherent risk before granting access to critical systems and data
  • On a periodic basis, to check SLAs, evaluate contract adherence, or satisfy audit requirements
  • During offboarding, to ensure that system access is terminated, and that data has been protected or destroyed according to regulations
  • Or during incident response, to determine the potential scope and impact of security breaches

Assessments are usually based on questionnaires that require vendors to share information about their security and privacy controls. They can also be used to gather other information about the business, such as relevant financial and operational data, or company policies concerning environmental, social and governance (ESG) issues.

Risk identified during the assessment process are usually scored according to severity, likelihood, and other factors. Results can also be mapped to key requirements in compliance and security frameworks, such as ISO and NIST.

Vendor Risk Assessment Explained

Watch this video to learn how vendor risk assessments enable you to not only proactively identify and mitigate third-party risks, but also be better prepared for when incidents do occur.

Why Are Vendor Risk Assessments Essential?

In recent years, the world witnessed major business and supply chain disruptions from the war in Ukraine, COVID-19, the SolarWinds data breach, the Suez Canal blockage, a semiconductor shortage, and other events. As a result, organizations faced operational breakdowns, financial losses, and legal actions. While many of these events were not preventable, organizations with effective third-party risk management (TPRM) programs were often able to significantly reduce or mitigate their impacts.

Implementing third-party risk assessment workflows that focus on operational risks, business continuity, and security risks can enable your organization to streamline procurement processes, improve supply chain resilience, and satisfy compliance audits. What's more, the cost to build and maintain a strategic third-party assessment practice is far less than the potential damage high-risk vendors can cause.

What Are the Different Categories of Vendor Risk?

There are three primary types of risk when dealing with third parties: profiled risk, inherent risk, and residual risk. Here is a brief breakdown of the three:

  • Profiled Risk relates directly to the relationship the vendor will have with your organization. Certain vendors pose more risks. For example, a credit card processing company likely poses substantially more risk to your organization than a digital advertising agency. Organizations that pose a higher level of profiled risk require extra scrutiny during the vendor selection process.
  • Inherent Risks refer to risks that the vendor poses due to their own information security, operational, financial and other business practices prior to implementing any controls required by your organization. Determining a potential vendor’s inherent risk score requires a combination approach of utilizing detailed vendor assessment questionnaires and external threat monitoring.
  • Residual Risk is the level of leftover risk once the organization in question has implemented your organization’s mandatory controls. Residual risk can never be eliminated, but it can be brought to a level that the organization deems acceptable.

How Do You Score Vendor Risks?

The basic calculation for scoring vendor risk is Likelihood x Impact = Risk. For example, take the case of a hospital vendor that is processing large amounts of PHI but is not compliant with HIPAA. Under HIPAA they would be classified as a business associate and would fall under the same regulatory scrutiny as the healthcare provider. In this case, the impact is a large fine to both the healthcare provider and the business associate (e.g., major or severe impact), and the likelihood is chance that their non-compliance would be discovered by regulators (e.g., likely or extremely likely). This would represent an unacceptable risk for any healthcare organization and would likely result in the termination of the contract.

Vendor Risk Matrix

The above example highlights the importance of conducting thorough vendor risk assessments. This is even more important for organizations dealing with large amounts of sensitive data such as government contractors and healthcare providers. In many cases, regulations such as HIPAA will hold the primary organization responsible for vendor non-compliance.

Vendor Risk Assessment Steps

1. Assemble Internal Stakeholders

The most successful vendor risk assessment programs involve input and/or participation from stakeholders representing multiple roles with different priorities. These can include:

Role Example Priorities

Risk management

Unifying vendor assessments with broader organizational risk management initiatives and integrating third-party risk data with GRC platforms.

Procurement and sourcing

Sourcing low-risk vendors, conducting pre-contract due diligence, assessing supplier performance, and ensuring that contractual obligations are met.

Security and IT

Identifying, analyzing, and remediating cybersecurity risks connected to third parties.

Audit and compliance

Understanding and reporting on vendor risk in the context of government regulations and industry frameworks.

Data privacy

Identifying which vendors handle private data, conducting privacy impact assessments, and reporting against privacy compliance requirements.

Assembling a cross-functional team to plan and guide your assessment program will help to ensure its organizational adoption and long-term success.

2. Define Your Acceptable Level of Residual Risk

In a perfect world, risk could be eliminated entirely. Unfortunately, when working with any third party there will always be some element of risk. Before assessing potential vendors for a project, you need to define what level of risk is acceptable. This can make vendor selection and the entire third-party risk management process faster, more efficient, and more uniform. This enables you to easily identify vendors that clearly won’t meet your business objectives and risk tolerance. In addition, it can help clarify which controls you need to require of vendors before working with them.

3. Build Your Vendor Risk Assessment Process

You should have a process with standardized controls and requirements in place. However, there is no one-size-fits-all vendor risk assessment process. Different vendors present different levels of risk to your organization, depending on a number of factors including:

  • criticality to your supply chain, such as being a single-source or sole-source supplier
  • access to sensitive data, such as personally identifiable information (PII), protected health information (PHI), or commercially sensitive information (CSI)
  • susceptibility to continuity events, such as natural disasters or geo-political conflicts

Starting with an internal profiling and tiering assessment can help to categorize your vendors and map out the type, scope and frequency of assessment required for each group. For instance, vendors with high levels of business criticality and potential risk (e.g., accounting firms or sole-source suppliers) will require greater due diligence than vendors posing lower levels of profiled risk (e.g., advertising firms).

Having a structured process for each vendor category will enable your third-party risk management program to operate more efficiently and enable you to make better, risk-based decisions about your vendor relationships. For more on building an assessment process, take a look at our vendor risk management checklist.

4. Send Vendor Risk Assessment Questionnaires

The next step is to select and send questionnaires for each vendor or category of vendor. Questionnaires provide you with a trust-based approach to gathering information about each vendor's internal controls. They can cover a variety of topics including information security practices, compliance requirements, financial stability, and fourth- and Nth-party supplier data.

Selecting a Questionnaire

One of the biggest choices companies face in selecting questionnaires for their primary risk assessments is whether to use an industry-standard questionnaire or proprietary questionnaire. Standardized questionnaires include the Standard Information Gathering (SIG) questionnaire, the H-ISAC questionnaire for healthcare organizations, and the Prevalent Compliance Framework (PCF) questionnaire. These assessments are widely accepted and familiar to most vendors and suppliers. In some cases, your third parties may already have an information security certification such as CMMC or SOC 2. You may decide to accept these certifications in lieu of requiring an assessment response, or you may supplement them with proprietary and/or ad-hoc assessments to gather information about specific controls or potential risks outside of cybersecurity. For more about the pros and cons of each assessment approach, read our post on selecting a vendor risk assessment questionnaire.

Choosing a Framework

Many organizations choose to employ frameworks when designing their vendor assessment questionnaires such as the NIST Cybersecurity Framework, ISO 27001, and NIST 800-30 to ensure that questionnaires are standard across the supply chain and reflect best practices. If you require your suppliers to be compliant with specific regulations such as the GDPR or PCI, it may be worth incorporating questions around those standards directly into your vendor risk management program. To learn more about how organizations use NIST and ISO to build their SCRM and TPRM programs, take a look at our Third-Party Risk Management Frameworks post.

Navigating the Vendor Risk Lifecycle: Keys to Success

This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 20+ years of experience working with hundreds of customers.

Read Now
Feature navigating vendor risk lifecycle

5. Complement Assessments with Continuous Risk Monitoring

Cybersecurity vulnerabilities, supply chain challenges, and compliance requirements evolve on a continual basis. Therefore, be sure to conduct continuous risk monitoring to catch any cyber, business or reputational risks that arise between your periodic vendor assessments. You can also use risk data to verify that a third party's assessment responses are consistent their real-world business activities.

Vendor Data Breaches, Exposed Credentials and other Cyber Risks

Third-party data breaches, ransomware attacks, and other cyber incidents are constant and pervasive threats to organizations today. It's therefore critical to conduct external monitoring of cybersecurity risks across your vendor ecosystem. Key risks to look out for include:

  • credential exposures
  • data breaches and confirmed incidents
  • web application misconfiguration and vulnerabilities
  • typosquatting and other brand threats

For more on identifying these risks and others, read our post on Cyber Supply Chain Risk Management (C-SCRM) Best Practices.

Supplier Finances, Business Practices and Reputation

While third-party breaches and cybersecurity incidents tend to monopolize the headlines, a supplier's financial failure, operational disruptions, or bad press can have serious implications for your business. These "non-IT" risks also extend to environmental, social and governance (ESG) challenges, like modern slavery, bribery/corruption, and consumer protection issues.

Look for news reports, financial information, and fourth-party relationships that could signal problems. Examine suppliers' business practices, raw material sourcing, and other key business processes that could pose reputational or ethical concerns to your business. In addition, ask for reference customers and partners that utilize the third party's products and services. Speak with references to gain further insights into the third party's ability to deliver against SLAs and other contractual obligations.

Selecting a Monitoring Strategy

From open-source intelligence to public websites, there is no shortage of places to find intelligence on your third parties. However, it can be difficult to build a comprehensive and efficient monitoring program from scratch. That's why many companies leverage automated vendor threat monitoring software for risk identification and scoring.

6. Categorize and Remediate Risks

Risks can be categorized as either acceptable or unacceptable. Unacceptable risks will need to be remediated prior to working with the vendor. Remediating Third-Party Risks can take a variety of forms. An organization may choose to ask a potential vendor to achieve a security certification such as SOC 2, to cease relationships with 4th and Nth party vendors, or to change business practices that could cause supply chain or other disruptions.

In addition, organization’s should have a third-party incident response strategy in the event that a vendor suffers a data breach or other disruption. Having a defined strategy for dealing with risks that materialize can dramatically cut down on the time it takes to mount an effective response and reduce disruption to your organization.

How to Start a Vendor Risk Assessment Program

One mistake that many companies make when launching an assessment program is relying on a combination of email and spreadsheets to get the job done. Unless you only work with a handful of vendors, this manual approach to assessments can be a nightmare for both auditors and vendors – while delivering little in the way of useful data.

If you’re looking to launch an assessment program, a great place to start is by subscribing to a vendor intelligence network, which offers access to a library of vendor risk reports based on standardized assessment data. Then, for increased customization and control, consider an automated vendor risk assessment solution that enables you to conduct and manage your own assessment initiatives. Or, if you prefer a more hands-off approach, a managed service provider can conduct assessments on your behalf.

Next Steps

Prevalent offers vendor risk assessment solutions and services as part of our comprehensive third-party risk management platform. To discuss your specific needs with a Prevalent expert, request a personalized demo today.

2014 04 10 Headshot Brad Suit
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer

Brad Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. He comes to Prevalent from BeyondTrust, where he provided leadership as COO and CSO for solutions strategy, product management, development, services and support. He joined BeyondTrust via the company’s acquisition of eEye Digital Security, where he helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies.

Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years Brad has attained many industry certifications to support his management, consulting, and development activities. Brad has his Bachelor of Commerce, Specialization in Management Information Systems and MBA from the University of Ottawa.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo