(270) 506-5140 CONTACT US
Login
Risk Assessment

Assessing Vendor Risk: What You Need to Know

Mar 11, 2020 by Gordon Rudd, CISSP

Assessing vendor risk in a complete manner can be a herculean task but is well worth the time investment. Assessing vendor risk keeps you, your organization, customers and stakeholders safe and shouldn’t be a responsibility that’s taken lightly. 

6 Things to Know About Assessing Vendor Risk

Here are six things you need to know about assessing vendor risk: 

  1. Before you even trek down the windy road of drafting proper risk assessments to assess risk and/or completing the questionnaires, you need a total vendor inventory. You must understand who your vendors are, if they should be risk assessed or if they’ll be included in your exclusions list. In other words, if they’re in your actively managed scope or not. The exclusions list is typically a very small one in comparison to the list of vendors you’ll end up evaluating regularly. An example of a vendor we often see excluded is the post office. It’s difficult to obtain the right due diligence on them. Another example is a food delivery company as it’s often deemed unnecessary to assess their risk due to the nature of the service being provided. 

    Quick tip: After you have your vendor list, a helpful approach is grouping your vendors into buckets such as processors, marketing agencies, cloud storage providers, etc. Then, create risk assessment questionnaire templates catered to each different group. It’s not a one-size-fits-all approach.

  2. You’re seeking out two final risk ratings in your quest to assess vendor risk. These final ratings are the business impact risk and the regulatory risk.
    Business impact risk is determining if the vendor is critical or non-critical to your organization. Regulatory risk is determining the vendor’s overall risk level based on categories of risk (e.g., strategic, financial, reputational, operational).

  3. It’s likely that at first glance you’ll notice risk that raises immediate red flags. These quick concerns are known as inherent risk – or your first impression risk. The light at the end of the tunnel, however, is that the inherent risk can be mitigated.

  4. Mitigating inherent risk is an essential component of assessing vendor risk. Reviewing and reducing the risk as much as you can is important. Once you’ve reduced the amount of risk present, you’ll know if your organization should or shouldn’t move forward with the vendor relationship. To mitigate vendor risk, you need to implement stronger controls such as writing due diligence requests into your vendor contract and/or performing more frequent assessments.

  5. Engaging senior management and the board can sometimes be an incredible feat due to their busy schedules, but it’s necessary. Don’t slack on this. Results of the risk assessment should be reported to senior management and the board so that they remain aware and informed. Significant issues, especially regarding critical vendors, must be relayed to the board immediately.

  6. Assessing vendor risk isn’t a one and done process. Your responsibility doesn’t stop after the first assessment is completed. Ongoing monitoring is continuous and critical. Risk assessments and the supporting due diligence should all be updated periodically.

When it’s all said and done, discipline and an organized approach to assessing vendor risk is going to be what keeps you chugging along successfully.

Dive deeper into how to rate your vendor's regulatory risk level. Download the infographic. 

rate-vendors-regulatory-risk-level

Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP
Subscribe--Bg.jpg

Subscribe to the Venminder Blog