Vendor Risk Management Workflows: 7 Critical Steps for Your VRM Program

Third-Party Risk Management Workflow Steps

Many organizations overlook the fact that third-party risk management can help an organization choose which vendors it works with. Vendors should be assessed for risk based on uniform criteria prior to the contract being signed. Performing a basic vendor risk assessment prior to onboarding can help you screen out vendors that pose financial, operational, or information security risks to your organization before you invest the time in onboarding them as a new vendor.

One of the most critical aspects of your vendor risk management workflow should be communication throughout the entire process. Many processes break down due to a lack of communication either from the vendor or the contractor. Maintaining a robust, honest, and clear dialogue between companies can dramatically ease the burden of onboarding a new vendor, and build a relationship based on mutual trust from the beginning.

1. Onboarding

The first part of any vendor risk management workflow consists of onboarding new vendors. Onboarding can take many forms, but it includes basics such as finalizing contract language, financial planning, and other critical tasks.

One major goal of onboarding is to centralize vendor data in a way that allows for quick and efficient access by internal stakeholders. This starts with uploading new vendor data into your vendor risk management solution. You should be able to import data from existing vendor management or procurement solutions via spreadsheets, API connections, or other integrations. Also, be sure that your VRM solution will enable specific teams or employees to populate vendor profiles via role-based access (RBAC).

2. Risk Assessment Questionnaire

A vendor risk assessment questionnaire can help you gauge the risk a vendor poses -- both prior to onboarding and on a regular basis thereafter. Vendor risk questionnaires can take a variety of forms, but most aim to gauge vendors' information security controls, corporate stability, and compliance practices..

Known risks are those that can be identified through questionnaires, existing security controls, and the operating environment. Unknown risks compromise external factors that are difficult to accurately assess such as hackers, geopolitical events, and other factors that would be outside the scope of a traditional assessment. To learn more about inherent and residual risk, check out our blog on inherent versus residual risk.

Known risk is typically broken down into three categories:

• Profiled Risk: Profiled risk relates to the services that the vendor performs for your organization. A third-party payroll company most likely poses far more risk to your organization than a digital advertising agency since they have access to far more sensitive information.

• Inherent Risk: Inherent risk is an existing risk that the vendor poses prior to any remediation efforts taking place. Examples of inherent risk include poor financial posture, bad information security practices, or operational inefficiencies.

• Residual Risk: Residual risk involves risk that is left over after a vendor has taken adequate remediation actions. It is up to your risk management team to determine whether residual risk is acceptable or unacceptable.

In many cases, organizations stratify vendors based on their profiled risk. This enables them to choose vendor risk assessment questionnaires that best reflect the risks that individual service providers pose based on their services. A payroll processing company needs a different, more rigorous questionnaire than a management consultant.

Once you have a solid understanding of a vendor's profile risk, the next step is to measure inherent risk. This is usually accomplished through a combination of detailed vendor risk assessment questionnaires and gathering external risk intelligence from a variety of public and private sources.

3. Assessment Review and Risk Analysis

The next step in your vendor risk management process is to review results from the questionnaires and your intelligence gathering. Automated third-party risk management (TPRM) software can dramatically simplify the process by flagging concerning answers and automatically mapping compliance requirements. If you aren’t currently using TPRM software, you will need to manually review questionnaire results and reference OSINT (open-source intelligence) to gauge the vendor's level of risk to your organization.

4. Continuous Monitoring

Even after your initial onboarding questionnaire and information gathering, you will need to engage in continuous monitoring throughout the vendor lifecycle. New security vulnerabilities, management team changes, lawsuits, and dozens of other factors can impact an organization's risk profile throughout the vendor lifecycle. It’s therefore best practices to regularly monitor external sources of vendor intelligence for:

• Cyber Risk such as news of data breaches, exposed credentials, and other evidence of information security incidents.
• Operational Risk resulting from leadership changes or mergers and acquisitions. Partnerships and OEM relationships may provide early warnings of price changes or a shift in marketing strategy, and natural disasters or health crises can significantly affect operations.
• Brand Risk that occurs when a vendor is required to recall products, suffers a data breach, or has an ESG misstep resulting in negative PR. These events can also result in financial penalties and remediation efforts that can adversely affect business operations and the vendor’s ability to deliver products and services.
• Regulatory and Legal Risk from trade agreements, international sanctions, class action lawsuits, and violations of regulatory standards can cause substantial delays in product and service delivery.
• Financial Risk resulting from bankruptcy proceedings, customer losses, missed earnings, and any of the previously discussed areas can lead to restructuring and discontinuation of specific vendor offerings.

5. Remediation

In certain cases, a vendor risk assessment questionnaire or monitoring intelligence may reveal that a vendor poses too much risk to your organization. In that case, you will have a choice between canceling the contract or requiring vendors to remediate risk prior to beginning work. For example, if a vendor reports poor information security practices, you may require them to obtain a third-party cybersecurity standard such as SOC 2 prior to working with them. The goal is to reduce risk to an acceptable, residual level.

6. Remediation Validation

It isn’t enough for a vendor to claim that they have adequately remediated all of your organization’s concerns. Make sure that you verify that actual changes have taken place throughout their business and information security processes. Many organizations will have a strong incentive to report remediation that didn’t occur in order to win the contract without spending the time and effort fixing issues. Requesting evidence of changes should be standard practice when onboarding vendors that required remediation.

7. Offboarding

The last part of a vendor risk management lifecycle is to effectively offboard vendors. Your organization should have a predefined checklist of activities to perform to ensure that vendors no longer have sensitive data or access to critical IT systems. Service level agreements should clearly elucidate exactly what data is shared, how long data is kept, and what happens to data upon the ending of the contract. Internal stakeholders should carefully review the relationship, document lessons learned, and ensure that all third-party access has been appropriately revoked.

Measure Risk Throughout the Vendor Lifecycle

Part of continuous monitoring is being able to accurately measure the risk that your contractor poses throughout the lifecycle of the relationship. Being able to numerically gauge a vendor's risk on a monthly, or even weekly basis is critical to ensure that major changes haven’t occurred that could put your organization at substantial risk.

Start Building an Effective Vendor Risk Management Workflow Today

Vendor risk management workflows speed the vendor selection and onboarding process, while reducing risk throughout the third-party lifecycle. The Prevalent Third-Party Risk Management Platform can dramatically simplify the process of building and automating workflows to identify vendor risk, facilitate remediation efforts, and streamline reporting. Request a demo to learn how Prevalent can automate and accelerate your TPRM program.