10 Best Practices of Successful Vendor Risk Assessments

To effectively manage vendor risks, it’s imperative for your organization to identify the types and levels of risks associated with every product or service provided by your vendors. A comprehensive vendor risk assessment ensures that your vendors have adequate risk management practices and controls in place to mitigate those risks effectively.

A comprehensive vendor risk assessment is essential in managing any third-party relationship. By identifying the risks associated with each vendor and evaluating their risk management practices and controls, you can gain valuable insights that will help you mitigate future risks and protect your organization.

10 Best Practices for Successful Vendor Risk Assessments

1. Make sure you haven't overlooked any vendors. To ensure you have a complete and accurate vendor list, it's important to compare your own vendor list with the one provided by your accounts payable department. This will help you identify any discrepancies or missing vendors and ensure that all vendors are properly accounted for in your records.
2. Organize your actively managed vendors into groups. Sort the vendors into different groups based on product or service (e.g., processors, marketing agencies, cloud storage providers).
3. Risk rate each of your vendors. It’s crucial to identify and document the risks associated with all outsourced engagements and vendor relationships. This is achieved through an inherent vendor risk assessment, which is always an internal process. By conducting this assessment, you can avoid making any assumptions about the types and levels of risks for any vendor and determine the level of vendor due diligence and risk assessment required. Every vendor relationship and every product or service must be assigned a risk rating. The risk rating scale is generally divided into low, moderate, and high categories. The risk rating for the vendor relationship should default to the highest risk rating of the provided products and services. For example, a vendor provides two low-risk products, and one high-risk product. In this case, the vendor risk rating should default to high risk.
4. Assess the product or service. To properly evaluate all risks posed by a vendor relationship, you'll need to first risk rate each of the products and services provided by the vendor and the vendor as an entity.
5. Identify the criticality of each engagement and vendor relationship. Criticality is all about impact, and critical vendors are those that can cause significant negative impacts to your operations or customers should the vendor fail. To determine your vendor’s criticality, ask the following questions:

• • Would a sudden loss of this vendor cause a disruption to our organization?
  • Would that disruption impact our customers?
  • If the time for the vendor to recover operations exceeded 24 hours, would there be a negative impact to our organization?

If you answer yes to any of those questions, you are probably dealing with a critical product or service and vendor relationship. Every engagement should be identified as critical or non-critical.

6. Determine the scope of necessary vendor due diligence. Due diligence is a multipart process that requires a vendor to complete a questionnaire about their risk management controls and practices. You’ll need to collect documentation to evidence those controls and  then validate those with a subject matter experts. Due diligence should always be risk-based and align with the level of risk and criticality. For example, in cases involving critical or elevated-risk vendors, more extensive due diligence is necessary and the following vendor risk assessments should be considered:

• • Strategic risk: Do the vendor’s actions and business decisions align with your organization’s goals?
  • Reputation risk: Is the vendor linked to negative news because of events like data breaches or consumer law violations?
  • Operational risk: Will the vendor be prepared for internal or external operational failures?
  • Transaction risk: Will the vendor process or accept payments on behalf of your organization?
  • Financial and credit risk: Does the vendor have poor financial health that can affect its ability to provide products or services to your organization?
  • Compliance risk: Are the vendor’s products or services governed by any laws or regulations?
  • Information security and cyber risk: Does the vendor store, transmit, or access your organization’s sensitive data? Does the vendor have a robust information security program in place to protect against cyberattacks and data breaches?
  • Concentration risk: Do you have multiple vendors in the same geographic location? Are your critical products or services concentrated within a single vendor?

7. Keep a disciplined approach. An effective vendor risk assessment process needs to be consistent in form and content and must be repeatable and reportable.
8. Complete vendor due diligence before you sign a contract. Before signing a contract, ensure all risks have been identified and the vendor's controls have been verified. Use your contract to legally obligate the vendor to mitigate identified issues within a specific timeframe.
9. Keep up with the latest regulatory changes. As regulations emerge or change, your organization must evaluate how those regulatory developments affect your third-party risk management processes. Make sure you have robust change management that identifies needs, assesses impacts, communicates changes, and manages transitions with minimal disruption. These practices can help ensure your third-party risk management processes are current with regulatory requirements. Don't forget to update your governance documents, including your policy and program.
10. Keep senior management and the board informed. Third-party risk management should regularly report to senior management and the board regarding the third-party risk management program, critical vendors, and any open issues. Beyond regular reporting, senior management and the board should be notified right away of any regulatory changes, issues with high risk or critical vendors, or material new or emerging risks.

Additional Considerations for Vendor Risk Assessments

Ensuring you’ve completed initial due diligence and vendor risk assessment before executing the vendor contract is essential. It’s important to also keep in mind that vendor risks and risk management practices can change over time. For this reason, a vendor risk assessment is never just a one-and-done activity. You’ll need to periodically re-assess the risks in the vendor engagement, refresh due diligence (including documentation), and validate vendor controls throughout the lifetime of the vendor relationship. How often you do this should depend on the risk level and criticality of the vendor engagement.

Here are the recommended intervals for vendor risk assessments:

• All critical and high-risk engagements should be re-assessed and evaluated at least on an annual basis.
• Moderate-risk engagements should be re-assessed and evaluated every 18 months to two years depending on the product and service.
• Low-risk engagements do not typically require extensive due diligence but should be re-assessed every two to three years or before any contract renewal.

Keep in mind that more frequent vendor risk re-assessments and evaluations may be necessary when a vendor experiences issues such as a data breach or declining performance. Your organization may determine the frequency and rigor of vendor risk assessments, but it’s important to ensure that your practices reflect regulatory expectations, are always documented, and are executed consistently.

Managing vendor risks is a critical aspect of building a successful organization. As a result, vendor risk assessments have become an essential component of effective third-party risk management programs. By conducting these risk assessments, you can identify potential vulnerabilities in your vendor's risk management practices and controls and ensure that they’re adequately mitigating known risks. Ultimately, implementing a robust vendor risk assessment process can help safeguard your organization against existing and potential threats.