Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

A Vendor Risk Management Checklist

Use these 36 criteria to select the best solution for automating your vendor risk management program.
Scott Lang
VP, Product Marketing
October 13, 2020
Blog vendor risk management checklist 1020

Vendor risk management is “the discipline of reducing or eliminating the residual risk that businesses and governments face when working with external service providers and IT vendors, and related third parties.”[1] Vendor risk management involves:

The problem with many vendor risk management programs is that much of this activity is handled with manual spreadsheets and emails. This slow and costly approach can lead to errors and perpetuate unnecessary risk. Many companies want to perform this work more efficiently but struggle with identifying the right capabilities to help them get there.

Let’s review five categories of criteria to consider in selecting a solution for automating and accelerating your vendor risk management program.

5 Categories of Criteria for Selecting a Vendor Risk Management Solution

A vendor risk management (VRM) solution should progressively mature your program across five key categories:

1) Manage all your vendors in one place

The first category focuses on taking initial control of your third-party ecosystem. This is where you consider a solution's abilities to onboard vendors and evaluate their inherent risk. Inherent risk metrics can inform how you tier and categorize vendors. This enables you to assess your vendors according the risk they present to your business.

2) Get out of spreadsheet jail

A vendor risk management solution should help you get out of "spreadsheet jail." Automated assessment capabilities will enable your teams to collaborate with vendors and gather information about their security controls. The right VRM solution will greatly reduce the amount of back-and-forth communications throughout the vendor lifecycle.

3) Make smarter decisions

A strong solution will enable you to validate assessment responses against external cyber security scores and business risk intelligence. Ideally, you want a solution that combines risk intelligence from continuous monitoring with vendor assessment data into a single risk register. This delivers more holistic security ratings and facilitates more informed decision-making.

4) Fix what’s important

By complementing assessment data with continuous threat intelligence, you'll be better positioned to prioritize and remediate third-party risks. To make this happen, you'll need strong reporting capabilities, as well as automation for triggering remediation workflows.

5) Continuous, intelligent and automated

In this category, you evaluate a VRM solution's ability to deliver continuous insights that inform your ongoing risk management initiatives. Ultimately, you want a solution that will help you build a more predictable and proactive third-party vendor risk management program.

RFP Toolkit for Third-Party Risk Management Solutions

Use this free toolkit to initiate a fair and balanced third-party risk management solution comparison.

Blog Tprm Rfp Template Oct 2019

A Vendor Risk Management Solution Checklist

Use this table to evaluate your current VRM program, compare solution providers, and determine which gaps you need to fill. The table categorizes selection criteria into the five categories discussed above.

Manage All Vendors in One Place

How well does the solution enable you to onboard vendors and understand their inherent risk?

Criteria Criteria Met?

1) APIs and connectors to common solutions to automate onboarding

2) Automated template to programmatize vendor onboarding

3) Profiling and tiering assessment and built-in logic to implement a repeatable methodology for assessing vendors

4) Inherent and residual risk scoring and tracking to clearly identify which vendors present the most impactful risks to the business

5) Services to onboard and score new vendors for under-resourced teams

Get Out of Spreadsheet Jail

How well does the solution automate the vendor risk assessment questionnaire process?

Criteria Criteria Met?

1) Library of hundreds of thousands of verified vendor intelligence profiles to enable faster, more efficient vendor onboarding and risks assessment

2) Large number of out-of-the-box assessment templates that can be customized to address specific mandates or frameworks

3) Custom assessment creation wizard providing flexibility to assess vendors against unique requirements

4) Automated workflows and tasks to accelerate the assessment process and provide a clear path to next steps

5) Centralized documents, contracts, agreements and evidence providing a repository for multiple teams

6) Out-of-the-box reporting against multiple compliance and framework requirements utilizing a single questionnaire to feed answers, saving time

7) Options to outsource the questionnaire design and collection and analysis of evidence to experts to relieve resource shortages

Get Smarter

Does the solution provide external risk intelligence to validate assessment responses and cover gaps between periodic assessments?

Criteria Criteria Met?

1) Cyber monitoring from deep/dark web for real-time risk intelligence insights

2) Business monitoring from hundreds of thousands of sources providing intel on business, regulatory or legal issues
RESTful API to enable connections to other systems

3) Unified risk register that correlates cyber and business risk events with assessment results to validate of vendor-reported control data

4) Transform incoming vendor cyber and business event data into actionable risks, giving you real-time risk visibility
Trigger actions like sending notifications, creating tasks or flags, or elevating risk scores, accelerating the risk mitigation process

5) Flexible risk weightings that granularly define the importance of specific risks to the business

6) Flagging and categorizing – either automatic or manual – to escalate a risk and route it to the appropriate contact for remediation

7) A matrix that dynamically enables risk analysis based on likelihood of an incident and its potential impact on the business

Fix What’s Important

How strong are the solution's reporting capabilities, and how well does it assist with remediation?

Criteria Criteria Met?

1) Built-in remediation guidance with recommendations to accelerate the risk mitigation process

2) A unified reporting framework that enables you to map questionnaire responses to any regulatory or industry-standard framework, guideline or methodology

3) Regulatory compliance, framework and guideline reporting for CMMC, ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, NYDFS, etc.

4) Ability to show “percent-compliant” to demonstrate progress on risk mitigation efforts

5) Deep reporting for each vendor and across all vendors

7) Projection of risk scoring over time after remediations are conducted and risks are mitigated

8) Workflows and ticketing to automate communications

9) Reporting across multiple security, compliance and privacy regulations with built-in reporting templates and status

10) Executive and operational dashboards

11) Services to manage the remediation process for constrained teams

Be Proactive and Continuous

Does the solution deliver continuous insights to inform your ongoing risk management initiatives?

Criteria Criteria Met?

1) Proactive and incremental assessments triggered by continuous monitoring insights and findings

2) Proactive and incremental updates and event notifications

3) Continuous cyber monitoring, scoring and alerting

4) Action enablement – automated playbooks

5) Rules and intelligence actions library

6) Behavioral analytics and detection with multi-dimensional analysis

Next Steps for Evaluating Vendor Risk Management Solutions

Ready to take the next step in evaluating vendor risk management solutions? Download our RFP toolkit, which includes an evaluation that covers:

  • Project scope, goals and outcomes
  • KPIs and project timelines
  • Solution requirements and use cases
  • Detailed vendor response criteria

You'll also get instant access to a detailed spreadsheet for comparing third-party risk management vendors and automatically scoring the results. Start your evaluation today!

[1] “Magic Quadrant for IT Vendor Risk Management Tools.” Gartner. August 24, 2020. Joanne Spencer and Edward Weinstein.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo