The vendor risk assessment is a very crucial step in the vendor vetting and ongoing monitoring due diligence phases. The assessment will give you a better understanding of the risk posed by each vendor relationship.
10 Best Practices For Successful Vendor Risk Assessments
- Compare your list from the Accounts Payable Department to your vendor list. Make sure you haven’t overlooked a vendor when completing risk assessments.
- Bucket your actively managed vendors into groups. Once you have your list from accounts payable, begin to sort the vendors into different buckets based on type (e.g. processors, marketing agencies, cloud storage providers).
- Understand the business impact and regulatory risk. Business impact determines if the vendor is critical or non-critical to the organization. Regulatory risk determines if the vendor is low, moderate or high risk. You must understand both and give vendors both designations.
- Keep a disciplined approach. The risk assessment is a repeatable process, consistent in form and content.
- Assess vendor relationships at the product or service level. In order to thoroughly understand all risk posed, it’s important to complete a risk assessment on each product or service instead of only one vendor risk assessment on an entire vendor relationship.
- Determine what the due diligence requirements are the more critical or high risk the vendor is. If the vendor is high risk, for example, you may want to add more contract considerations, more frequent monitoring and more in-depth due diligence annually.
- Evaluate risk in the vendor selection phase. In addition to being a continuous part of your ongoing monitoring, go ahead and conduct a vendor risk assessment during the vendor vetting phase too.
- Stay abreast of regulatory regulations. Implement new guidance into your vendor risk assessment as necessary.
- Keep senior management and the board informed. If you make significant changes to the risk assessment, notify them.
- Risk rate each vendor. Each relationship should be risk rated however, a full risk assessment template may not be required for all. This is dependent on the parameters of your vendor risk management program.
Implementing these best practices into your program should set the stage for a great foundation.
To learn more about developing a strong third party risk management or vendor risk management program, download our infographic.