Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Vendor Risk Management Workflows: 7 Critical Steps for Your VRM Program

Vendor risk management (VRM) workflows speed the vendor selection and onboarding process, while reducing risk throughout the third-party lifecycle. Here are seven critical steps that should be a part of every VRM workflow.
July 14, 2021
Blog vendor risk management workflow 0721

Third-party vendor risk management is a rapidly evolving space. Since the onset of the COVID-19 pandemic, companies have been forced to scramble to manage third-party risk, defend against a rising tide of ransomware attacks, and deal with persistent supply chain disruptions. By building an effective vendor risk management workflow, you can dramatically lessen the time it takes to onboard new vendors, while simultaneously reducing organizational risk. This post will provide actionable insights into how your organization can design an effective vendor risk management workflow that integrates with your organization’s other critical business processes.

Why Are Vendor Risk Management Workflows Important?

Third-party risks have increased dramatically in recent years, with vendor and supplier security exposures being exacerbated by recent health, environmental and geo-political crises. Therefore, including a risk comparison in your vendor selection process will spare you a lot of headaches down the road.

Building an efficient third-party risk management workflow enables your organization to quickly size up vendors based on predefined risk criteria, and take actions to reduce risk to an acceptable level. As your organization onboards new suppliers and evaluates its existing vendor population, a third-party risk management workflow can enable you to weigh and reduce risk throughout the vendor lifecycle.

Common Types of Vendor Risk

Financial Risk

Vendors with unstable financials can severely disrupt your supply chain. Take the time to evaluate vendors' financial status through questionnaires, public filings and other sources to ascertain whether there is a risk of the company becoming insolvent or failing to perform its contractual obligations.

Information Security Risk

More data is shared between companies today than ever before. At the same time, data privacy and information security regulations have expanded dramatically in recent years. Information security is one of the most critical factors to evaluate potential vendors against. If a vendor has a poor cybersecurity track record or can't satisfactorily demonstrate security controls, you may want to consider sourcing other providers.

ESG Risk

ESG stands for environmental, social, and governance risk. Corporate practices are facing increasing scrutiny from customers, shareholders and regulators, so failing to account for issues related to the environment, diversity, social justice and human rights can lead to reputational and financial damage. Investors and customers are increasingly looking to exclusively work with organizations with sound ESG policies, as any problems in the supply chain can have serious downstream ramifications.

Compliance Risk

Third-party compliance risk spans multiple categories including information security, privacy and ESG. For instance, security and privacy regulations such as GDPR, CCPA, and CMMC contain strict provisions related to third-party data sharing. ESG-related legislation includes the 2015 the United Kingdom passed the Modern Slavery Act, which stipulates that organizations are required to scrutinize their supply chains for forced labor, as well as the U.S. Foreign Corrupt Practices Act, the UK Bribery Act of 2010, and the forthcoming European Union Corporate Due Diligence Act.

Free TPRM Program Maturity Assessment

Our free, one-hour Third-Party Risk Program Maturity Assessment delivers in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.

Get Started
Feature blog tprm maturity assessment

Third-Party Risk Management Workflow Steps

Many organizations overlook the fact that third-party risk management can help an organization choose which vendors it works with. Vendors should be assessed for risk based on uniform criteria prior to the contract being signed. Performing a basic vendor risk assessment prior to onboarding can help you screen out vendors that pose financial, operational, or information security risks to your organization before you invest the time in onboarding them as a new vendor.

One of the most critical aspects of your vendor risk management workflow should be communication throughout the entire process. Many processes break down due to a lack of communication either from the vendor or the contractor. Maintaining a robust, honest, and clear dialogue between companies can dramatically ease the burden of onboarding a new vendor, and build a relationship based on mutual trust from the beginning.

1. Onboarding

The first part of any vendor risk management workflow consists of onboarding new vendors. Onboarding can take many forms, but it includes basics such as finalizing contract language, financial planning, and other critical tasks.

One major goal of onboarding is to centralize vendor data in a way that allows for quick and efficient access by internal stakeholders. This starts with uploading new vendor data into your vendor risk management solution. You should be able to import data from existing vendor management or procurement solutions via spreadsheets, API connections, or other integrations. Also, be sure that your VRM solution will enable specific teams or employees to populate vendor profiles via role-based access (RBAC).

2. Risk Assessment Questionnaire

A vendor risk assessment questionnaire can help you gauge the risk a vendor poses -- both prior to onboarding and on a regular basis thereafter. Vendor risk questionnaires can take a variety of forms, but most aim to gauge vendors' information security controls, corporate stability, and compliance practices..

Known risks are those that can be identified through questionnaires, existing security controls, and the operating environment. Unknown risks compromise external factors that are difficult to accurately assess such as hackers, geopolitical events, and other factors that would be outside the scope of a traditional assessment. To learn more about inherent and residual risk, check out our blog on inherent versus residual risk.

Known risk is typically broken down into three categories:

  • Profiled Risk: Profiled risk relates to the services that the vendor performs for your organization. A third-party payroll company most likely poses far more risk to your organization than a digital advertising agency since they have access to far more sensitive information.

  • Inherent Risk: Inherent risk is an existing risk that the vendor poses prior to any remediation efforts taking place. Examples of inherent risk include poor financial posture, bad information security practices, or operational inefficiencies.

  • Residual Risk: Residual risk involves risk that is left over after a vendor has taken adequate remediation actions. It is up to your risk management team to determine whether residual risk is acceptable or unacceptable.

In many cases, organizations stratify vendors based on their profiled risk. This enables them to choose vendor risk assessment questionnaires that best reflect the risks that individual service providers pose based on their services. A payroll processing company needs a different, more rigorous questionnaire than a management consultant.

Once you have a solid understanding of a vendor's profile risk, the next step is to measure inherent risk. This is usually accomplished through a combination of detailed vendor risk assessment questionnaires and gathering external risk intelligence from a variety of public and private sources.

3. Assessment Review and Risk Analysis

The next step in your vendor risk management process is to review results from the questionnaires and your intelligence gathering. Automated third-party risk management (TPRM) software can dramatically simplify the process by flagging concerning answers and automatically mapping compliance requirements. If you aren’t currently using TPRM software, you will need to manually review questionnaire results and reference OSINT (open-source intelligence) to gauge the vendor's level of risk to your organization.

4. Continuous Monitoring

Even after your initial onboarding questionnaire and information gathering, you will need to engage in continuous monitoring throughout the vendor lifecycle. New security vulnerabilities, management team changes, lawsuits, and dozens of other factors can impact an organization's risk profile throughout the vendor lifecycle. It’s therefore best practices to regularly monitor external sources of vendor intelligence for:

  • Cyber Risk such as news of data breaches, exposed credentials, and other evidence of information security incidents.
  • Operational Risk resulting from leadership changes or mergers and acquisitions. Partnerships and OEM relationships may provide early warnings of price changes or a shift in marketing strategy, and natural disasters or health crises can significantly affect operations.
  • Brand Risk that occurs when a vendor is required to recall products, suffers a data breach, or has an ESG misstep resulting in negative PR. These events can also result in financial penalties and remediation efforts that can adversely affect business operations and the vendor’s ability to deliver products and services.
  • Regulatory and Legal Risk from trade agreements, international sanctions, class action lawsuits, and violations of regulatory standards can cause substantial delays in product and service delivery.
  • Financial Risk resulting from bankruptcy proceedings, customer losses, missed earnings, and any of the previously discussed areas can lead to restructuring and discontinuation of specific vendor offerings.

5. Remediation

In certain cases, a vendor risk assessment questionnaire or monitoring intelligence may reveal that a vendor poses too much risk to your organization. In that case, you will have a choice between canceling the contract or requiring vendors to remediate risk prior to beginning work. For example, if a vendor reports poor information security practices, you may require them to obtain a third-party cybersecurity standard such as SOC 2 prior to working with them. The goal is to reduce risk to an acceptable, residual level.

6. Remediation Validation

It isn’t enough for a vendor to claim that they have adequately remediated all of your organization’s concerns. Make sure that you verify that actual changes have taken place throughout their business and information security processes. Many organizations will have a strong incentive to report remediation that didn’t occur in order to win the contract without spending the time and effort fixing issues. Requesting evidence of changes should be standard practice when onboarding vendors that required remediation.

7. Offboarding

The last part of a vendor risk management lifecycle is to effectively offboard vendors. Your organization should have a predefined checklist of activities to perform to ensure that vendors no longer have sensitive data or access to critical IT systems. Service level agreements should clearly elucidate exactly what data is shared, how long data is kept, and what happens to data upon the ending of the contract. Internal stakeholders should carefully review the relationship, document lessons learned, and ensure that all third-party access has been appropriately revoked.

Measure Risk Throughout the Vendor Lifecycle

Part of continuous monitoring is being able to accurately measure the risk that your contractor poses throughout the lifecycle of the relationship. Being able to numerically gauge a vendor's risk on a monthly, or even weekly basis is critical to ensure that major changes haven’t occurred that could put your organization at substantial risk.

Start Building an Effective Vendor Risk Management Workflow Today

Vendor risk management workflows speed the vendor selection and onboarding process, while reducing risk throughout the third-party lifecycle. The Prevalent Third-Party Risk Management Platform can dramatically simplify the process of building and automating workflows to identify vendor risk, facilitate remediation efforts, and streamline reporting. Request a demo to learn how Prevalent can automate and accelerate your TPRM program.


Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors and suppliers throughout the third-party lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo