IT Vendor Risk Management Best Practices: 8 Keys to Success in 2023

Best Practice 4: Fix What’s Important with Recommended Remediations and Reporting

Now comes the hard part: remediating the risks! Key considerations at this stage include:

• Does your team have the expertise to recommend remediations for failed controls? Would it be helpful to automatically trigger pre-defined remediations when assessments flag specific risks?

• How do you plan to project future risk (e.g., residual risk) over time after the application or enforcement of remediations? This will be important in board-level reporting.

• How will you demonstrate a vendor’s compliance with a specific regulatory or industry framework? (Hint: Look for solutions that provide "percent-compliant" metrics against multiple regulations.)

• How will you mitigate hidden threats that aren't revealed by assessment responses? (Be sure to ask if your VRM solution includes machine learning to analyze data and reveal hidden trends.)

Best Practice 5: Take a Continuous, Intelligent and Automated Approach to Vendor Risk Management

The final step in moving toward more proactive VRM is to incorporate continuous and intelligent automation into your program over the long term. This includes taking advantage of solutions that can proactively and continuously assess, monitor and eliminate vendor risk. But what does "continuous, intelligent and automated" look like?

Continuous assessments

One way to achieve a more continuous, less reactive assessment model is to enable real-time cyber and business monitoring intelligence to inform your assessment schedule. With the right rules in place, you can correlate a vendor’s vulnerabilities, breaches or leaked credentials on the dark web with assessment responses revealing weak password management or patch management practices. You can then use these findings to trigger assessments. This level of automation truly closes the loop on third-party risk and transforms point-in-time assessments into continuous vendor risk monitoring.

Intelligence from every corner

Making sound, risk-based decisions means consuming and normalizing data from several sources. See our best practices guide for a diagram illustrating the inputs typically required to inform risk-based decision-making. Here are just a few:

• Public and private sources, vendor risk intelligence and technology integrations can provide quantitative and qualitative insights into IT security risks, financial problems and other indicators of a vendor's cyber and business health.

• The vendor community, completed assessments and industry partnerships also play a part. They provide member-supplied or crowd-sourced documentation and insights that can provide a preview into what risks vendors pose in specific industries.

• Regulatory monitoring provides insights into control failures across regulated industries and can help anticipate the remediations required to reduce a vendor's residual risk.

Automation playbooks to streamline risk response

One way to achieve a more automated program is to leverage capabilities for triggering risk response actions based on “If This, Then That” criteria for specific entities and risks. Rules should automate a broad range of onboarding, assessment and review tasks. These can include updating vendor profiles and risk attributes, sending notifications, and/or activating workflows. They should also run perpetually to update the VRM environment as new events and risks emerge.

Best Practice 6: Account for Geopolitics in Your VRM Program

The increasingly fraught geopolitical situation also can pose substantial risks to vendor risk management programs. Evaluate your vendors based on where they do business. Vendors with a heavy business concentration in countries with poor track records on human rights and ESG may be putting themselves and their services to your organization at risk. Sudden tariffs or an embargo could dramatically reduce revenue and lead to vendor performance risk or even failure.

On the same token, organizations that do substantial business or host data in countries without explicit laws regarding data privacy may put your organization's data at risk through mandated sharing with government entities in the host country. Here are some questions worth asking about current vendors as well as future potential vendors during your sourcing and selection process:

• Does the vendor have substantial business operations or host data in countries without clear laws and regulations pertaining to how data is shared between government and private sector entities?

• Does the vendor operate in countries with poor track records on human rights, political freedom, or environmental degradation? If so, are their operations substantial enough to cause disruption if that country was to be embargoed?

• Does the vendor base their operations in a country with disputed territory or active violent insurgency?

Best Practice 7: Build in Compliance Reporting from the Ground Up

Since third-party risk management is a key control focus in most regulatory regimes and industry frameworks, it’s important to show progress toward achieving compliance with those requirements – for auditors both outside and inside your organization. However, many risk management tools make compliance reporting overly complex and time-consuming. Built-in reporting for common regulations and industry frameworks is therefore key to speeding and simplifying the compliance process.

One way to speed compliance reporting is to gain visibility into each vendor’s level of compliance. Start by establishing a compliance “pass” percentage threshold against a risk category (e.g., X% compliant against a particular framework or guideline). All reporting will tie back to that percent-compliant rating, and your team can focus on areas where compliance pass rates are low. This should also be conducted at the macro level across all vendors; not just at the vendor level. Macro-level reporting will be important for the board as they seek to determine how compliant the organization is against the “flavor of the month” regulation.

Bonus Tip: Vendor ESG Compliance is Becoming Increasingly Important

ESG regulations from the California Supply Chain Transparency Act to the EU Draft Directive are placing increasing pressure on companies to eradicate poor ESG practices from their supply chains, a trend that looks set to continue throughout the 2020s. While many organizations see ESG as primarily a concern for suppliers, IT vendors can also pose ESG risks ranging from poor labor practices at factories to bribery and other forms of corruption. Take a careful look at ESG Compliance requirements that may affect your organization and ensure that you structure compliance reporting to account for them.

Best Practice 8: Ensure Vendor Offboarding is Smooth, Efficient, and Verified

When a vendor relationship ends, risk can persist. A vendor holding sensitive data must return and/or securely destroy that data; support obligations may outlive a purchase agreement; and organizations must ensure that any third-party access to internal systems is terminated. While this is easily understood, Prevalent research found that 60 percent of companies are not actively assessing third-party risks during offboarding. This presents ongoing business, security, and IP risk.

Here are a few key questions to ask about your current vendor offboarding approach.

• Do we have verification methods in place to ensure that offboarded vendors are terminated from access to all IT infrastructure and applications?

• Do we routinely audit systems to verify that vendors have been successfully offboarded?

• Does our vendor offboarding approach incorporate key provisions of applicable compliance requirements?

• Do we require vendors to affirm in writing that all sensitive data has been destroyed upon the completion of offboarding?

• Do we write offboarding requirements into contracts and SLAs with vendors?

Next Step: Download Prevalent’s Vendor Risk Management Best Practices Guide

Now that you have an idea of what an enterprise vendor risk management deployment looks like, be sure to uncover more details in best practices guide.

Prevalent delivers a complete vendor risk management solution that's unified by a single, easy-to-use platform. If you would like to learn more about how to construct your complete VRM strategy, request a demo today.