Before you can begin monitoring vendor risk, you'll need to identify the types and amounts of risk in the relationship. In other words, what kinds of risks does this vendor pose to your organization and how severe are those risks?
Initial Vendor Risk Identification
- Inherent risk assessment – The first step you must complete before selecting and onboarding the vendor to your organization. Inherent risks naturally occur within a product or service, and don’t yet consider any future controls you might apply. The results of an inherent risk assessment should include a rating, usually on a scale of low, moderate, and high. The vendor's criticality will also need to be considered, which means you must determine the impact on your organization if the vendor fails or goes out of business.
- Due diligence – Once you've completed the initial risk assessment, you'll use that information to scope your risk-based due diligence. Your organization should collect and/or review certain vendor information, such as legal name, address, tax ID number, and liability insurance. Critical vendors or those with high inherent risk will require additional, more robust due diligence. Some items to review might include audited financial statements and a list of your vendor's critical subcontractors.
Vendor Risks Can Easily Change
After identifying the inherent risk, and completing the due diligence process, you still need to monitor and periodically re-assess risk throughout the vendor engagement. Ongoing monitoring and re-assessments can help protect your organization if and when the following occurs:
- New risks emerge – A new vendor risk might emerge because of internal or external factors. Was the vendor acquired by another organization? Did the vendor open a new location in a different country? Are there new regulatory requirements that affect your vendor's industry? These types of situations can expose your organization to new vendor risks, which should be addressed.
- Existing risks change – Consistency is ideal, but not guaranteed regarding vendor risk. Maybe you've discovered performance issues through service level agreement (SLA) tracking. Maybe the vendor suffered a data breach that exposed some of your organization's data. Or maybe one of the vendor's controls is no longer operating effectively. These risks were already known when you onboarded the vendor, but changed during the engagement.
Importance of Continuously Monitoring Vendors
Periodic re-assessments are an important step to officially document risk at pre-determined intervals. Generally, this varies between every year for critical and high-risk vendors and every two to three years for low-risk vendors. However, it's important to continuously monitor vendor risk to protect your organization from new and changing risks. Failure to monitor risk can leave you unnecessarily exposed until your next re-assessment.
Here are some criteria that should be considered in your continuous monitoring activities:
- Consistency – A consistent, point-in-time view of a risk profile can be a valuable comparison tool between two or more vendors that provide the same product or service.
- Holistic – In addition to monitoring each risk domain individually, it may be beneficial to take a holistic view of the entire vendor risk profile. This enables your risk committees, board and senior management to make better vendor product and service decisions.
- Purposeful – You may not always know what vendor risk monitoring will reveal. Still, the information you gain should always be used for a purpose. The data might be used to drive more due diligence or highlight any risk domains that should have an increased focus. Vendor risk monitoring can also help save time by reaffirming that certain risk domains can be excluded from due diligence or further monitoring activities.
If you don’t have unlimited resources, consider how you can streamline the process of identifying and monitoring risks. Doing so will help ensure that your vendor risk profiles remain accurate with up-to-date information.